Lucene search

K

Gentoo FoundationGLSA-202310-10

HistoryOct 10, 2023 - 12:00 a.m.

libcue: Arbitrary Code Execution

2023-10-1000:00:00

Gentoo Foundation

security.gentoo.org

11

libcue

cue sheet

code execution

integer overflow

tracker-miners

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

53.4%

Background

libcue is a CUE Sheet Parser Library.

Description

libcue does not check bounds in a loop and suffers from an integer overflow flaw which can be exploited to take over the program.

Impact

Untrusted CUE sheet files can lead to arbitrary code execution. app-misc/tracker-miners[cue] uses libcue to index CUE Sheet files in directories. It is possible that downloading a malicious CUE Sheet file into a directory indexed by tracker-miners could lead to remote code execution.

Workaround

There is no known workaround at this time.

Resolution

All libcue users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=media-libs/libcue-2.2.1-r1"

OSVersionArchitecturePackageVersionFilename
Gentooanyallmedia-libs/libcue< 2.2.1-r1UNKNOWN

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

53.4%

Related for GLSA-202310-10

ubuntucve1 nessus13 hivepro1 fedora5 openvas12 mageia1 osv5 prion1 cvelist1 ubuntu2 veracode1 redhatcve1 debian2 vulnrichment1 nvd1 slackware1 github2 alpinelinux1 debiancve1 freebsd1 redos1 cve1 thn1