GNU bug report logs -
#66428
[PATCH] gnu: libcue: Fix CVE-2023-43641.
Previous Next
Reported by: Leo Nikkilä <hello <at> lnikki.la>
Date: Mon, 9 Oct 2023 20:19:02 UTC
Severity: normal
Tags: patch
Done: John Kehayias <john.kehayias <at> protonmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 66428 in the body.
You can then email your comments to 66428 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#66428; Package
guix-patches.
(Mon, 09 Oct 2023 20:19:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Nikkilä <hello <at> lnikki.la>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Mon, 09 Oct 2023 20:19:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Fixes a vulnerability in libcue that can result in a nasty RCE exploit
under GNOME:
https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
* gnu/packages/patches/libcue-CVE-2023-43641.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/cdrom.scm (libcue)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/cdrom.scm | 3 ++-
.../patches/libcue-CVE-2023-43641.patch | 18 ++++++++++++++++++
3 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libcue-CVE-2023-43641.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index c481aa153a..ff40cf7a9b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1517,6 +1517,7 @@ dist_patch_DATA = \
%D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \
%D%/packages/patches/libcanberra-wayland-crash.patch \
%D%/packages/patches/libcroco-CVE-2020-12825.patch \
+ %D%/packages/patches/libcue-CVE-2023-43641.patch \
%D%/packages/patches/libcyaml-libyaml-compat.patch \
%D%/packages/patches/libexpected-use-provided-catch2.patch \
%D%/packages/patches/libgda-cve-2021-39359.patch \
diff --git a/gnu/packages/cdrom.scm b/gnu/packages/cdrom.scm
index de31002ac1..d06fe068db 100644
--- a/gnu/packages/cdrom.scm
+++ b/gnu/packages/cdrom.scm
@@ -560,7 +560,8 @@ (define-public libcue
(file-name (git-file-name name version))
(sha256
(base32
- "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm"))))
+ "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm"))
+ (patches (search-patches "libcue-CVE-2023-43641.patch"))))
(build-system cmake-build-system)
(arguments
`(#:configure-flags '("-DBUILD_SHARED_LIBS=ON")))
diff --git a/gnu/packages/patches/libcue-CVE-2023-43641.patch b/gnu/packages/patches/libcue-CVE-2023-43641.patch
new file mode 100644
index 0000000000..640c197981
--- /dev/null
+++ b/gnu/packages/patches/libcue-CVE-2023-43641.patch
@@ -0,0 +1,18 @@
+Fix CVE-2023-43641:
+https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
+
+Patch from the disclosure post.
+
+diff --git a/cd.c b/cd.c
+index cf77a18..4bbea19 100644
+--- a/cd.c
++++ b/cd.c
+@@ -339,7 +339,7 @@ track_get_rem(const Track* track)
+
+ void track_set_index(Track *track, int i, long ind)
+ {
+- if (i > MAXINDEX) {
++ if (i < 0 || i > MAXINDEX) {
+ fprintf(stderr, "too many indexes\n");
+ return;
+ }
base-commit: 7937c8827b8d23347a3159b4696335bd19fc17aa
--
2.41.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#66428; Package
guix-patches.
(Wed, 11 Oct 2023 20:03:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 66428 <at> debbugs.gnu.org (full text, mbox):
Hi Leo,
I see that libcue 2.3.0 has been recently released to address this.
How about updating the package instead?
--
Furthermore, I consider that nonfree software must be eradicated.
Cheers,
Bruno.
Information forwarded
to
guix-patches <at> gnu.org:
bug#66428; Package
guix-patches.
(Wed, 11 Oct 2023 20:30:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 66428 <at> debbugs.gnu.org (full text, mbox):
> How about updating the package instead?
Thanks for the heads up! I saw it took a while to cut the release, and
other distros like Arch resorted to patching in the meantime. Here's a
new patch to just update the package.
Information forwarded
to
guix-patches <at> gnu.org:
bug#66428; Package
guix-patches.
(Wed, 11 Oct 2023 20:30:03 GMT)
Full text and
rfc822 format available.
Message #14 received at 66428 <at> debbugs.gnu.org (full text, mbox):
Fixes CVE-2023-43641, see
<https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/>
for details.
* gnu/packages/cdrom.scm (libcue): Update to 2.3.0.
---
gnu/packages/cdrom.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/cdrom.scm b/gnu/packages/cdrom.scm
index de31002ac1..9eb8511e42 100644
--- a/gnu/packages/cdrom.scm
+++ b/gnu/packages/cdrom.scm
@@ -551,7 +551,7 @@ (define-public dvdstyler
(define-public libcue
(package
(name "libcue")
- (version "2.2.1")
+ (version "2.3.0")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -560,7 +560,7 @@ (define-public libcue
(file-name (git-file-name name version))
(sha256
(base32
- "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm"))))
+ "1lkcj31fc0wjqr9lgr1ws6invx6ayvrk7v5kd9lm7956q1mi9ib4"))))
(build-system cmake-build-system)
(arguments
`(#:configure-flags '("-DBUILD_SHARED_LIBS=ON")))
base-commit: b4f2b681ad9c01b99f36d3c2f6af78234b41d745
--
2.41.0
Reply sent
to
John Kehayias <john.kehayias <at> protonmail.com>:
You have taken responsibility.
(Thu, 12 Oct 2023 02:17:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Nikkilä <hello <at> lnikki.la>:
bug acknowledged by developer.
(Thu, 12 Oct 2023 02:17:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 66428-done <at> debbugs.gnu.org (full text, mbox):
Hi Leo and Bruno,
On Wed, Oct 11, 2023 at 11:20 PM, Leo Nikkilä wrote:
> Fixes CVE-2023-43641, see
> <https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/>
> for details.
>
> * gnu/packages/cdrom.scm (libcue): Update to 2.3.0.
> ---
> gnu/packages/cdrom.scm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/cdrom.scm b/gnu/packages/cdrom.scm
> index de31002ac1..9eb8511e42 100644
> --- a/gnu/packages/cdrom.scm
> +++ b/gnu/packages/cdrom.scm
> @@ -551,7 +551,7 @@ (define-public dvdstyler
> (define-public libcue
> (package
> (name "libcue")
> - (version "2.2.1")
> + (version "2.3.0")
> (source (origin
> (method git-fetch)
> (uri (git-reference
> @@ -560,7 +560,7 @@ (define-public libcue
> (file-name (git-file-name name version))
> (sha256
> (base32
> - "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm"))))
> + "1lkcj31fc0wjqr9lgr1ws6invx6ayvrk7v5kd9lm7956q1mi9ib4"))))
> (build-system cmake-build-system)
> (arguments
> `(#:configure-flags '("-DBUILD_SHARED_LIBS=ON")))
>
> base-commit: b4f2b681ad9c01b99f36d3c2f6af78234b41d745
Thanks for the quick work! Pushed as
2610166c37d19dbd00dbb860b1ac2de45f415b4d.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 09 Nov 2023 12:24:09 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 301 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.