CVE-2023-43641

Name of the Vulnerable Software and Affected Versions libcue versions 2.2.1 and prior

Description The issue is related to out-of-bounds array access in libcue, which provides an API for parsing and extracting data from CUE sheets. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to ~/Downloads, it is then automatically scanned by tracker-miners, and since it has a .cue filename extension, tracker-miners use libcue to parse the file, allowing the file to exploit the vulnerability in libcue to gain code execution.

Recommendations For versions 2.2.1 and prior, update to version 2.3.0 to resolve the issue. As a temporary workaround, consider disabling the use of libcue for parsing .cue files until a patch is available. Restrict access to the tracker-miners to minimize the risk of exploitation. Avoid downloading and opening cue sheets from untrusted sources.