CVE-2023-43641: 
NixOS vulnerability analysis and mitigation

CVE-2023-43641 is a memory corruption vulnerability discovered in libcue, a library used for parsing cue sheets (CD metadata). The vulnerability affects versions 2.2.1 and prior, and was discovered by Kevin Backhouse from GitHub Security Lab. The issue was disclosed on October 9, 2023, and affects systems running the GNOME desktop environment, which uses libcue through its tracker-miners application (GitHub Blog).

The vulnerability is an out-of-bounds array access in the tracksetindex function of libcue. The function fails to validate that the array index is non-negative, allowing writes outside the bounds of the array. The issue occurs because the integer parsing uses atoi, which doesn't check for integer overflow, making it possible to create negative indices. For example, the value 4294567296 is converted to -400000 by atoi. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, GitHub Advisory).

The vulnerability can lead to remote code execution (RCE) when a user downloads a maliciously crafted cue sheet file. Because GNOME's tracker-miners automatically scans files in the ~/Downloads directory, simply downloading a malicious .cue file is sufficient to trigger the exploit. This makes it a particularly dangerous 1-click RCE vulnerability that could allow attackers to execute arbitrary code on the victim's system (GitHub Blog).

The vulnerability has been fixed in libcue version 2.3.0. Multiple Linux distributions have released security updates, including Debian (versions 10, 11, and 12), Fedora (versions 37, 38, and 39), and Ubuntu. Users are strongly advised to update their systems immediately. The fix involves adding a check for negative indices in the tracksetindex function (Debian Advisory, Fedora Update).

The vulnerability has received significant attention due to its severity and ease of exploitation. The GNOME developers responded quickly to strengthen their tracker-miners sandbox implementation after learning about how the exploit bypassed existing protections. Security researcher Kevin Backhouse, who discovered the vulnerability, worked with the libcue maintainer Ilya Lipnitskiy and the distros mailing list to coordinate the disclosure and patching process (GitHub Blog).