A vulnerability has been discovered in libcue which could allow for arbitrary code execution.
Package | media-libs/libcue on all architectures |
---|---|
Affected versions | < 2.2.1-r1 |
Unaffected versions | >= 2.2.1-r1 |
libcue is a CUE Sheet Parser Library.
libcue does not check bounds in a loop and suffers from an integer overflow flaw which can be exploited to take over the program.
Untrusted CUE sheet files can lead to arbitrary code execution. app-misc/tracker-miners[cue] uses libcue to index CUE Sheet files in directories. It is possible that downloading a malicious CUE Sheet file into a directory indexed by tracker-miners could lead to remote code execution.
There is no known workaround at this time.
All libcue users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libcue-2.2.1-r1"
Release date
October 10, 2023
Latest revision
October 10, 2023: 1
Severity
high
Exploitable
remote
Bugzilla entries