If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
It became known information about a vulnerability (already cataloged under CVE-2023-43641) that was identified in the libcue library, which is used to analyze metadata with information about the order and duration of audio tracks.
For those who do not know about libcue, you should know that it is a library that used to analyze reference sheets, a format of metadata to describe the layout of tracks on a CD. Cheat sheets are often used in combination with the FLAC audio file format, which means that libcue is a dependency of some audio players.
It is mentioned that the severity of the vulnerability is due to the fact that this allows code execution when processing cue files specially designed. Additionally, the libcue library is used in the tracker-miners search engine used in the GNOME user environment.
Since tracker-miners automatically indexes new media files in home directory, to attack GNOME systems and make the attacker's code execute, all it takes is for the user simply add a specially designed file in one of the following folders ~/Downloads, ~/Music or e in the Videos folder, without having to open it (for example, in some cases, just clicking a link in the browser).
The two-process architecture of crawler-miners is useful for exploitation. First of all, it is much easier to predict the memory layout in a newly started process than one that has already been running for hours, so the fact that tracker-extract only starts on demand is very convenient.
Even better, tracker-extract always creates a new thread to scan the downloaded file, and I found that the heap layout in the thread's malloc field is very consistent: it varies between distributions...
Regarding vulnerability, it is mentioned that this is caused by an integer overflow in the INDEX parameter parsing code and occurs when too large numeric values are specified in this parameter that do not fit the "int" type.
In a simple example:
TRACK 01 AUDIO TITLE "Never Gonna Give You Up" ... INDEX 01 00: 00: 00 TRACK 02 AUDIO TITLE "Whenever You Need Somebody" ... INDEX 01 03: 35: 00
The vulnerability is in the handling of the INDEX syntax, which occurs when replacing one of those statements. This will trigger the error:
INDEX 4294567296 0
To convert a string to a number, the atoi function is used, e.g. If you specify the number 4294567296, it will be converted to -400000. The vulnerability is caused directly by the failure to check the resulting value to ensure that it can be negative. The second part of the problem (and this is the real vulnerability) is that track_set_index is not checked for i ≥ 0:
void track_set_index(Track *track, int i, long ind) { if (i > MAXINDEX) { fprintf(stderr, "too many indexes\n"); return; } track->index[i] = ind;
The vulnerability happens as a result in the code after the atoi conversion, the operation is performed, in which "i" can be assigned a negative number to overwrite the memory area outside the buffer with the value "ind", which is also loaded from the file being processed.
The researchers who identified the vulnerability mention that They have prepared a functional exploit and demonstrated the ability to exploit Ubuntu 23.04 and Fedora 38-based environments. Exploit code will be published later to give users time to install an update that eliminates the vulnerability. The exploit is stable in operation, but requires adaptation for each distribution.
In most GNOME distributions, tracker-miners are enabled by default and are loaded as a physical dependency of the Nautilus file manager (GNOME files). It is mentioned that tracker-miners can be disabled directly by the user. You can check the details to be able to disable tracker-miners in the following link
Finally if you are interested in knowing more about it, you can check the details in the following link