This software relic from the CD era could put your entire PC at risk
If for some strange reason you need to run .cue files in a Linux environment with a GNOME desktop, be careful. The files can be marred with malicious code that allows threat actors to execute code on the target endpoint.
The warning was issued by GitHub after the software development platform recently revealed the existence of a memory corruption flaw in the libcue library that parses cue sheets.
It is being tracked as CVE-2023-43641 and while it is not yet official, it has a severity score of 8.8 (high).
Testing the error
Cue files are metadata files used to describe songs on a CD or DVD. GNOME desktops, ArsTechnica explains, have a “tracker miner” that automatically updates when file locations in a user’s home directory change. Should a user download a cuesheet containing malicious code, GNOME’s indexing tracker would run it and execute the code, effectively compromising the endpoint.
Fortunately, a patch is already available, so Linux users with GNOME-based distributions should apply it as soon as possible to secure their endpoints. The earliest safe version is 2.3.0.
GitHub Security Lab member Kevin Backhouse has recorded a video to demonstrate how the bug works, but has not yet released a proof-of-concept (PoC), Ars Technica further explains. Users can test their systems for the vulnerability via a test cuesheet that Backhouse has developed, which shouldn’t cause too many problems aside from a “benign crash.”
Backhouse is known for discovering vulnerabilities in Linux. Before discovering CVE-2023-43641, he discovered flaws that allowed standard users to become administrators with just a few commands, and a Polkit flaw that gave attackers root access. Although Linux only makes up a small part of the overall OS market, it is a popular and widely used operating system, especially among servers, IoT equipment and mobile devices.