If, for whatever strange reason, you find yourself in need of running .cue files on a Linux environment with a GNOME desktop, be careful. The files could be marred with malicious code that allows threat actors to execute code on the target endpoint.
The warning was issued by GitHub after the software development platform recently disclosed the existence of a memory corruption flaw in the libcue library which parses cue sheets.
It’s being tracked as CVE-2023-43641, and while not yet official, it comes with a severity score of 8.8 (High).
Testing the flaw
Cue files are metadata files used to describe tracks found in a CD, or a DVD. GNOME desktops, ArsTechnica explains, have a “tracker miner” that automatically updates when file locations in a user’s home directory change. Should a user download a cue sheet with malicious code, GNOME’s indexing tracker would run it and execute the code, essentially compromising the endpoint.
Luckily, a patch is already available, so Linux users with GNOME-based distributions should apply it to secure their endpoints, as soon as possible. The earliest secure version is 2.3.0.
GitHub Security Lab member, Kevin Backhouse, recorded a video to show how the bug works, but hasn’t released a proof-of-concept (PoC) just yet, Ars Technica further explained. Users can test their systems for the vulnerability via a test cue sheet Backhouse developed which shouldn’t cause too much trouble other than a “benign crash”.
Backhouse is known for discovering vulnerabilities in Linux. Before finding CVE-2023-43641, he discovered flaws allowing standard users to become admins with just a few commands, and a Polkit flaw that grants attackers root access. Although making up but a tiny portion of the overall OS market, Linux is a loved and widely used operating system, especially among servers, IoT gear, and mobile devices.