From unknown Sat Sep 06 03:53:14 2025
X-Loop: help-debbugs@gnu.org
Subject: [bug#66428] [PATCH] gnu: libcue: Fix CVE-2023-43641.
Resent-From: Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Mon, 09 Oct 2023 20:19:02 +0000
Resent-Message-ID: <handler.66428.B.169688270111725@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 66428
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 66428@debbugs.gnu.org
Cc: Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.169688270111725
          (code B ref -1); Mon, 09 Oct 2023 20:19:02 +0000
Received: (at submit) by debbugs.gnu.org; 9 Oct 2023 20:18:21 +0000
Received: from localhost ([127.0.0.1]:33449 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qpwhm-00032y-16
	for submit@debbugs.gnu.org; Mon, 09 Oct 2023 16:18:21 -0400
Received: from lists.gnu.org ([2001:470:142::17]:50194)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <hello@lnikki.la>) id 1qpwhj-00032j-OP
 for submit@debbugs.gnu.org; Mon, 09 Oct 2023 16:18:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <hello@lnikki.la>) id 1qpwhJ-0001XT-4U
 for guix-patches@gnu.org; Mon, 09 Oct 2023 16:17:49 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <hello@lnikki.la>) id 1qpwhH-00028c-8L
 for guix-patches@gnu.org; Mon, 09 Oct 2023 16:17:48 -0400
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailout.nyi.internal (Postfix) with ESMTP id B99635C035D;
 Mon,  9 Oct 2023 16:17:43 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute1.internal (MEProxy); Mon, 09 Oct 2023 16:17:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lnikki.la; h=cc
 :cc:content-transfer-encoding:content-type:date:date:from:from
 :in-reply-to:message-id:mime-version:reply-to:sender:subject
 :subject:to:to; s=fm3; t=1696882663; x=1696969063; bh=ll9EZlxF+v
 bOYBkYgbqWMSMBWvoPaGP43ZN7aycdni4=; b=f0Cz6sq0wSLD79haELIFqtVdzO
 s6wgL7rWg26xS3/NzyDAeY8p/FDCNbGSRrYbsZs9BwAzs32d2EEpJaTsDT6ibKdV
 dt2qua5T1Sts7MW+Iu5wAEUTIwkCzC6h/T2o48TO/dvGwCO3S6elRKAtdENKtEcE
 EPWHbQ5NMhBwpMJCmQ7kT5ZNsoz90EEgkxfQ9WuurMOFaT4rwuv5gZZPrms8vnwu
 P3x/rZF5h1ityCKjxW1FKBiZOFiOUo5a0rXr7B5OEID/hMqcWz6dLvbrYXXLPp2X
 KkiXPKUJWGvyfY2HnDS/L+Qq26vtgfituBXy1TPqFeUm4koWLOzB7ebZyiIA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:date:date:feedback-id:feedback-id:from:from
 :in-reply-to:message-id:mime-version:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm2; t=1696882663; x=1696969063; bh=ll9EZlxF+vbOY
 BkYgbqWMSMBWvoPaGP43ZN7aycdni4=; b=cHw0gTXb6Ui5KxN1XEQRSxJ3xxMPT
 /7Nw/QnpvxSV7OLEalgt26alDyINJw/TK7VW5Cs5C+X4LyfdQApJoxu4T9PUPf8n
 1ChxrqeTJGZ5pKIoDuD+85wnrN2o06fHwjOh7y5fmjwtxVnI1xL06/0ZeN55DyyV
 uvxh6ONjuL7Wrp6r7sEipPfyEMek1dw9UjGndDIRsgi07veXrZFqVSmzu6XuOkhk
 g+ET6KvxtqGCz+O1TXD0ZEdh1ngDupRM98zhVoAqywU0I8yEajSvc4j12D4SuEPK
 ENrXbHyT7mgUFz2+rt3M71S8t9cMkXy6AWEHUqGyjaTFK55KtG/T9WkMg==
X-ME-Sender: <xms:518kZW8MbbNf2e-5OHiJWkv9OMie0AgFj10Qyn58PqLXr3y2EwrcCQ>
 <xme:518kZWsh5F4pE_HVbyWqeiNCC4BDv03BmaY747aY-ufC5InES8rQX83sVcrzMB1wv
 c8DfnQFUIJ9K0k6Taw>
X-ME-Received: <xmr:518kZcC0LO2aFz0Ph-dhzotC2ka-kh4N1OIJOWav3hR5dgYaS36upbGkBdXwoveniKF05KOmOoUFzZm371CyqL3_RtLHLxZkiZCKXBXy>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrheefgddugeejucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffkffoggfgsedtkeertd
 ertdejnecuhfhrohhmpefnvghoucfpihhkkhhilhomuceohhgvlhhloheslhhnihhkkhhi
 rdhlrgeqnecuggftrfgrthhtvghrnhepgeegieefleevfeeggfehtdejieehgfeivddvff
 ektdevtdeftdehgeeufffftefgnecuffhomhgrihhnpehgihhthhhusgdrsghlohhgnecu
 vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhgvlhhloh
 eslhhnihhkkhhirdhlrg
X-ME-Proxy: <xmx:518kZefhUIwq-c-ISC8DsM6APj_e2LfemLwbXeHglnIWwmMLjntHGA>
 <xmx:518kZbN9nThw19-P7hwf0SaWPjYVpmiXvk4t4qwdUK6x01MDkn6f5g>
 <xmx:518kZYnz5zWwVszpoAia6JJX6RYqfG_fkW_WJIuJR9WzF1ZiJIKJTw>
 <xmx:518kZQoIbRrgLKsMcM87moizKgM69oQnvZBrwYfUszy_Thmp0cBQZg>
Feedback-ID: i41f146a7:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 9 Oct 2023 16:17:42 -0400 (EDT)
From: Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
Date: Mon,  9 Oct 2023 23:15:44 +0300
Message-ID: <20231009201647.9891-1-hello@lnikki.la>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=66.111.4.25; envelope-from=hello@lnikki.la;
 helo=out1-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Fixes a vulnerability in libcue that can result in a nasty RCE exploit
under GNOME:

https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/

* gnu/packages/patches/libcue-CVE-2023-43641.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/cdrom.scm (libcue)[source]: Use it.
---
 gnu/local.mk                                   |  1 +
 gnu/packages/cdrom.scm                         |  3 ++-
 .../patches/libcue-CVE-2023-43641.patch        | 18 ++++++++++++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/libcue-CVE-2023-43641.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c481aa153a..ff40cf7a9b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1517,6 +1517,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \
   %D%/packages/patches/libcanberra-wayland-crash.patch \
   %D%/packages/patches/libcroco-CVE-2020-12825.patch		\
+  %D%/packages/patches/libcue-CVE-2023-43641.patch		\
   %D%/packages/patches/libcyaml-libyaml-compat.patch		\
   %D%/packages/patches/libexpected-use-provided-catch2.patch	\
   %D%/packages/patches/libgda-cve-2021-39359.patch		\
diff --git a/gnu/packages/cdrom.scm b/gnu/packages/cdrom.scm
index de31002ac1..d06fe068db 100644
--- a/gnu/packages/cdrom.scm
+++ b/gnu/packages/cdrom.scm
@@ -560,7 +560,8 @@ (define-public libcue
              (file-name (git-file-name name version))
              (sha256
               (base32
-               "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm"))))
+               "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm"))
+             (patches (search-patches "libcue-CVE-2023-43641.patch"))))
     (build-system cmake-build-system)
     (arguments
      `(#:configure-flags '("-DBUILD_SHARED_LIBS=ON")))
diff --git a/gnu/packages/patches/libcue-CVE-2023-43641.patch b/gnu/packages/patches/libcue-CVE-2023-43641.patch
new file mode 100644
index 0000000000..640c197981
--- /dev/null
+++ b/gnu/packages/patches/libcue-CVE-2023-43641.patch
@@ -0,0 +1,18 @@
+Fix CVE-2023-43641:
+https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
+
+Patch from the disclosure post.
+
+diff --git a/cd.c b/cd.c
+index cf77a18..4bbea19 100644
+--- a/cd.c
++++ b/cd.c
+@@ -339,7 +339,7 @@ track_get_rem(const Track* track)
+ 
+ void track_set_index(Track *track, int i, long ind)
+ {
+-	if (i > MAXINDEX) {
++	if (i < 0 || i > MAXINDEX) {
+ 		fprintf(stderr, "too many indexes\n");
+                 return;
+         }

base-commit: 7937c8827b8d23347a3159b4696335bd19fc17aa
-- 
2.41.0





From unknown Sat Sep 06 03:53:14 2025
X-Loop: help-debbugs@gnu.org
Subject: [bug#66428] [PATCH] gnu: libcue: Fix CVE-2023-43641.
Resent-From: Bruno Victal <mirai@makinata.eu>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Wed, 11 Oct 2023 20:03:01 +0000
Resent-Message-ID: <handler.66428.B66428.169705456315250@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 66428
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
Cc: 66428@debbugs.gnu.org
Received: via spool by 66428-submit@debbugs.gnu.org id=B66428.169705456315250
          (code B ref 66428); Wed, 11 Oct 2023 20:03:01 +0000
Received: (at 66428) by debbugs.gnu.org; 11 Oct 2023 20:02:43 +0000
Received: from localhost ([127.0.0.1]:40106 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qqfPm-0003xt-TQ
	for submit@debbugs.gnu.org; Wed, 11 Oct 2023 16:02:43 -0400
Received: from smtpm1.myservices.hosting ([185.26.105.232]:45676)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mirai@makinata.eu>) id 1qqfPh-0003xW-Nw
 for 66428@debbugs.gnu.org; Wed, 11 Oct 2023 16:02:41 -0400
Received: from mail1.netim.hosting (unknown [185.26.106.173])
 by smtpm1.myservices.hosting (Postfix) with ESMTP id 72E4E2056B;
 Wed, 11 Oct 2023 22:02:14 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by mail1.netim.hosting (Postfix) with ESMTP id CA1C3800A3;
 Wed, 11 Oct 2023 22:02:13 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting
Received: from mail1.netim.hosting ([127.0.0.1])
 by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id y03xrmC0_lFZ; Wed, 11 Oct 2023 22:02:13 +0200 (CEST)
Received: from [192.168.1.116] (unknown [10.192.1.83])
 (Authenticated sender: lumen@makinata.eu)
 by mail1.netim.hosting (Postfix) with ESMTPSA id 0048980060;
 Wed, 11 Oct 2023 22:02:08 +0200 (CEST)
Message-ID: <987a1b4c-07e1-4284-9f58-ea0c0ce6c420@makinata.eu>
Date: Wed, 11 Oct 2023 21:02:04 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
References: <20231009201647.9891-1-hello@lnikki.la>
From: Bruno Victal <mirai@makinata.eu>
In-Reply-To: <20231009201647.9891-1-hello@lnikki.la>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Leo,

I see that libcue 2.3.0 has been recently released to address this.
How about updating the package instead?

-- 
Furthermore, I consider that nonfree software must be eradicated.

Cheers,
Bruno.





From unknown Sat Sep 06 03:53:14 2025
X-Loop: help-debbugs@gnu.org
Subject: [bug#66428] [PATCH] gnu: libcue: Fix CVE-2023-43641.
Resent-From: Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Wed, 11 Oct 2023 20:30:02 +0000
Resent-Message-ID: <handler.66428.B66428.169705615320048@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 66428
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: "Bruno Victal" <mirai@makinata.eu>
Cc: 66428@debbugs.gnu.org
Received: via spool by 66428-submit@debbugs.gnu.org id=B66428.169705615320048
          (code B ref 66428); Wed, 11 Oct 2023 20:30:02 +0000
Received: (at 66428) by debbugs.gnu.org; 11 Oct 2023 20:29:13 +0000
Received: from localhost ([127.0.0.1]:40124 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qqfpR-0005DI-3O
	for submit@debbugs.gnu.org; Wed, 11 Oct 2023 16:29:13 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:33603)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <hello@lnikki.la>) id 1qqfpL-0005CQ-Dg
 for 66428@debbugs.gnu.org; Wed, 11 Oct 2023 16:29:11 -0400
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47])
 by mailout.nyi.internal (Postfix) with ESMTP id 356EC5C0340;
 Wed, 11 Oct 2023 16:28:38 -0400 (EDT)
Received: from imap43 ([10.202.2.93])
 by compute6.internal (MEProxy); Wed, 11 Oct 2023 16:28:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lnikki.la; h=cc
 :cc:content-type:content-type:date:date:from:from:in-reply-to
 :in-reply-to:message-id:mime-version:references:reply-to:sender
 :subject:subject:to:to; s=fm3; t=1697056118; x=1697142518; bh=md
 eEaiRJtl5d/R6mIvXTi0gmREL6tAU1AtSJpcMU/Ds=; b=aj0Lpsqb8rcUnwQc/A
 zR+0+9T2u97G+6hV4xUXjUVhrF/qzXYpwq/xKGBoBwkoYeRf5G5Kr5HDhaJIiiS+
 DOCpoBbu2Fs6QP7EekDKV97qDB0mtSQ3bbAJRdm1PsfEVOra01xCGOdBj1yPs21f
 UnVLKAx9/TsZPTxUspY40pAdTns3DRICkCiDTXfSYQ/CG5+q7YdbCx2yHj4h5Y9S
 Hay2xnUDgZpwnNpcvIaRSktuNHpSE0K0msAPfQBujGLNzVh54MLeuVnouKkQ2n8g
 lSe5xU8zaWK+4xqZXek1rlepwCJy5hw9Il4tIPtU0hTE1x3PCBc3wzLG8qZyF+Ff
 2usA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm2; t=1697056118; x=1697142518; bh=mdeEaiRJtl5d/
 R6mIvXTi0gmREL6tAU1AtSJpcMU/Ds=; b=BWMz67eokc+roUPbfmOgLXxp/zwtH
 g4s74/hrqmbpyVQLlEvt+t1XS9rJVo2f6u47iM8DVxcByOM6G+/REmKjbRwCT4YQ
 5pvSztZyxblKusWaFHftY4OeJUABa7r68irdnTadBYGSzPmaPJd3AEH/kvWodeWS
 wnZD8p1scmLeJfXLnFR4RCldga0z4YnT22t7ewrDoEVAAxTs9tINC3CAWAFZ7b8+
 YTw5ghcrULjhKgpxYeR0TtxfsfheJRhWqM46PzlQSTWu0K42+jWksaUwD70/QVEi
 H22eWU+NYUfdqo1pV6hiM9pSYFhnZvVWl0FA3nDcAbiZmQ1JiyrAggrJg==
X-ME-Sender: <xms:dQUnZXXMGkiMKFUAnY5DNh7eKxpLvpvQ0Wi7OrBmBSTeAZNa9UBswg>
 <xme:dQUnZflH7AAh8iZjwjzwtkvj032BRNCkywXRmoZ0EXRSaGh6EqhPg_kKGprWApkdm
 fzjqtNsNTXoNjQ67ww>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrheekgddugeeiucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvvefutgesth
 dtredtreerjeenucfhrhhomhepnfgvohcupfhikhhkihhlmocuoehhvghllhhosehlnhhi
 khhkihdrlhgrqeenucggtffrrghtthgvrhhnpeekhfektdeiffegvdektdelleeuudffje
 ekfeejteffveeivdegkeehleejuedvudenucevlhhushhtvghrufhiiigvpedtnecurfgr
 rhgrmhepmhgrihhlfhhrohhmpehhvghllhhosehlnhhikhhkihdrlhgr
X-ME-Proxy: <xmx:dQUnZTazMOytZrltAp3LYLLFcUDe2nu4XsU2YjJlkd6AbHzPTeBj2w>
 <xmx:dQUnZSU-aqBpcA2y0RVeHiKbSFzqJ8t4O2gwA0l3Jevh71dJq_H9Jg>
 <xmx:dQUnZRl4cV2UVCc1idH5YDa3OTdApfB0pZBdh_0dOL70sLJsBKst_g>
 <xmx:dgUnZXiikFSGZSw8HZRiU0etId5mDR-QQZqnfDzTVb_ZkRLrAMgZlQ>
Feedback-ID: i41f146a7:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
 id AD5B32D4008F; Wed, 11 Oct 2023 16:28:37 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-1019-ged83ad8595-fm-20231002.001-ged83ad85
MIME-Version: 1.0
Message-Id: <d57a3dd1-582d-43ce-acc2-535e95cf675f@betaapp.fastmail.com>
In-Reply-To: <987a1b4c-07e1-4284-9f58-ea0c0ce6c420@makinata.eu>
References: <20231009201647.9891-1-hello@lnikki.la>
 <987a1b4c-07e1-4284-9f58-ea0c0ce6c420@makinata.eu>
Date: Wed, 11 Oct 2023 20:27:16 +0000
From: Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

> How about updating the package instead?

Thanks for the heads up! I saw it took a while to cut the release, and
other distros like Arch resorted to patching in the meantime. Here's a
new patch to just update the package.




From unknown Sat Sep 06 03:53:14 2025
X-Loop: help-debbugs@gnu.org
Subject: [bug#66428] [PATCH] gnu: libcue: Update to 2.3.0.
References: <20231009201647.9891-1-hello@lnikki.la>
In-Reply-To: <20231009201647.9891-1-hello@lnikki.la>
Resent-From: Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Wed, 11 Oct 2023 20:30:03 +0000
Resent-Message-ID: <handler.66428.B66428.169705616320087@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 66428
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Bruno Victal <mirai@makinata.eu>
Cc: 66428@debbugs.gnu.org, Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
Received: via spool by 66428-submit@debbugs.gnu.org id=B66428.169705616320087
          (code B ref 66428); Wed, 11 Oct 2023 20:30:03 +0000
Received: (at 66428) by debbugs.gnu.org; 11 Oct 2023 20:29:23 +0000
Received: from localhost ([127.0.0.1]:40128 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qqfpb-0005Dv-CO
	for submit@debbugs.gnu.org; Wed, 11 Oct 2023 16:29:23 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:33779)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <hello@lnikki.la>) id 1qqfpZ-0005DY-MV
 for 66428@debbugs.gnu.org; Wed, 11 Oct 2023 16:29:22 -0400
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
 by mailout.nyi.internal (Postfix) with ESMTP id 8AC9E5C0340;
 Wed, 11 Oct 2023 16:28:54 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute2.internal (MEProxy); Wed, 11 Oct 2023 16:28:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lnikki.la; h=cc
 :cc:content-transfer-encoding:content-type:date:date:from:from
 :in-reply-to:message-id:mime-version:reply-to:sender:subject
 :subject:to:to; s=fm3; t=1697056134; x=1697142534; bh=+SLk7e86RC
 F4Icv7LP0M7AdNZBkVLBk8T/IelosRKJM=; b=bKvw7WsnY/89Er9FGFXRPS+A+7
 H+3ZAxDkFy5pSeiaw4dijAOX2SBjuwBF8F99EPLBRhgyycosMxdXjxM0mQGI8PVC
 4nxW+tLy1wFFqgUkcAhZvjpeuB1Zc2OPnRwv1Mb3inn2WF1dZ7NDwbFtc7lJqbge
 3vbVSauwdDQn74t00OzIxCvmmg/E6S/Xu7xjzjTZMGvx1nx+yPyivEDMTD80Ht+g
 fLyRP9rYD5MIddMxrtMPKyhb3Zw1SKwvkdQ2Z8PX7qB2fzmwgMkJePfHECYOFas9
 /lhT7sa4Iua4LAcIaNmFaJKf5TkAXH0ISXexu35K/krLo/JkhuPR8hnlpgdQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:date:date:feedback-id:feedback-id:from:from
 :in-reply-to:message-id:mime-version:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm2; t=1697056134; x=1697142534; bh=+SLk7e86RCF4I
 cv7LP0M7AdNZBkVLBk8T/IelosRKJM=; b=e8881BSlIC5ucElCXbQ9yGfT+E2EE
 Q8zmS19mjcJtD6fn7LTWzSyVU7MdqZ67Gqd0156hkXWzHsWuv2lfoFtPVDvgMoq8
 9QROcpBeYP8j9nW110JnbyutfmbAUGPOW5cMv3f3kkrBHJlWOa33IIkJ80fnwWwY
 d9Nk5tXXv9FsnvosB95IzB1qjN61nUAAbF8gRKwcq8si3dlSnsmphfEOjAv/GEUx
 hYu+ckP5M48I8E2YaFJtoJms2be/xeBbKeVqmTnlqby2fN8UAgh/qIrAitvmcPBr
 xsbVW5hNXUh2MhLroo7PTIW/hLEba4FPWe0O8PVA5P7cByrj5dGOZT1NA==
X-ME-Sender: <xms:hgUnZZWX4gppg4n518wTbrKCakFqtL04kQYTOol7R-Iqwo06-x3-AA>
 <xme:hgUnZZmE_HELo5OF6mQgWB1KrccV-hLtebtWVGC28O9Ffh47wknVF3fB_tqa3KMJ8
 37JdP6R0UbfuEEYwxg>
X-ME-Received: <xmr:hgUnZVZDEkrdtXzfFPr25yTsKv79EoKqVLOLBgH22uric4IlTUISLizBAlH-sPCc1tfCk7g79AyijtxeH7o6HUHRrNx6mgYh-Qz_HrFn>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrheekgddugeeiucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffkffoggfgsedtkeertd
 ertdejnecuhfhrohhmpefnvghoucfpihhkkhhilhomuceohhgvlhhloheslhhnihhkkhhi
 rdhlrgeqnecuggftrfgrthhtvghrnhepgeegieefleevfeeggfehtdejieehgfeivddvff
 ektdevtdeftdehgeeufffftefgnecuffhomhgrihhnpehgihhthhhusgdrsghlohhgnecu
 vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhgvlhhloh
 eslhhnihhkkhhirdhlrg
X-ME-Proxy: <xmx:hgUnZcVbcd7cYKaQcAM4vnVdY-gvGi1NI4XrOmwzOtM4lBocI203Sw>
 <xmx:hgUnZTnVljpB3j-l-cRVEjM5Tnh4K9p5xa7_BMiRiE2r2cwrUkD7HQ>
 <xmx:hgUnZZebPPUx_GBnANW73slkmOj5zqda6VN_RuI1dvo_kqZ03fo5JQ>
 <xmx:hgUnZesR8tKoWLBQO6cT8wMp4F2wvyUq1MFklBNWc_UQ4OpE6pNpdQ>
Feedback-ID: i41f146a7:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
 11 Oct 2023 16:28:53 -0400 (EDT)
From: Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
Date: Wed, 11 Oct 2023 23:20:21 +0300
Message-ID: <20231011202746.2796-1-hello@lnikki.la>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Fixes CVE-2023-43641, see
<https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/>
for details.

* gnu/packages/cdrom.scm (libcue): Update to 2.3.0.
---
 gnu/packages/cdrom.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/cdrom.scm b/gnu/packages/cdrom.scm
index de31002ac1..9eb8511e42 100644
--- a/gnu/packages/cdrom.scm
+++ b/gnu/packages/cdrom.scm
@@ -551,7 +551,7 @@ (define-public dvdstyler
 (define-public libcue
   (package
     (name "libcue")
-    (version "2.2.1")
+    (version "2.3.0")
     (source (origin
              (method git-fetch)
              (uri (git-reference
@@ -560,7 +560,7 @@ (define-public libcue
              (file-name (git-file-name name version))
              (sha256
               (base32
-               "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm"))))
+               "1lkcj31fc0wjqr9lgr1ws6invx6ayvrk7v5kd9lm7956q1mi9ib4"))))
     (build-system cmake-build-system)
     (arguments
      `(#:configure-flags '("-DBUILD_SHARED_LIBS=ON")))

base-commit: b4f2b681ad9c01b99f36d3c2f6af78234b41d745
-- 
2.41.0





From unknown Sat Sep 06 03:53:14 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
Subject: bug#66428: closed (Re: bug#66428: [PATCH] gnu: libcue: Fix
 CVE-2023-43641.)
Message-ID: <handler.66428.D66428.16970770098778.notifdone@debbugs.gnu.org>
References: <8734yg8u1y.fsf_-_@protonmail.com>
 <20231009201647.9891-1-hello@lnikki.la>
X-Gnu-PR-Message: they-closed 66428
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 66428@debbugs.gnu.org
Date: Thu, 12 Oct 2023 02:17:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1697077022-8802-1"

This is a multi-part message in MIME format...

------------=_1697077022-8802-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#66428: [PATCH] gnu: libcue: Fix CVE-2023-43641.

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 66428@debbugs.gnu.org.

--=20
66428: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D66428
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1697077022-8802-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 66428-done) by debbugs.gnu.org; 12 Oct 2023 02:16:49 +0000
Received: from localhost ([127.0.0.1]:40275 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qqlFp-0002HW-Gj
	for submit@debbugs.gnu.org; Wed, 11 Oct 2023 22:16:49 -0400
Received: from mail-4322.protonmail.ch ([185.70.43.22]:32013)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <john.kehayias@protonmail.com>) id 1qqlFn-0002HI-G3
 for 66428-done@debbugs.gnu.org; Wed, 11 Oct 2023 22:16:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1697076978; x=1697336178;
 bh=ks2R9XsmunF/TPvliqTvDKASq5VzyZY0LQnZaxGSj1o=;
 h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=mcPls9lU59gzACwMEBz+IA5Fw1zJKDncdPiu8XixwLiCy8lvxTEVrHinqTQxJWG7R
 Z+mnqEunIZQP4JfLpm/YhkcXNkUenfKYcMK4ykDkDC3CkWQqb8fl5K0v87b0Fun+xh
 FXeG9IhK+1I8Rj5twFd0pac+7DVpCYTsw0dVlmeOH3aNbFUjcI88I1BvJK43EL4XQt
 p89pYxt5gfmeQOEfMVgv9WrYoS84VvrVv+vnKxSV0qI/FiKnN+Bamfx8rr2d8PLgtY
 97mjzEVsOZt6HQxeOUYVl0YMMNNZjYHq7UmdrihmqNEkYBA2YC/t3XCdu7FNd+0Jf2
 HXGkXiEHuzSDg==
Date: Thu, 12 Oct 2023 02:16:09 +0000
To: =?utf-8?Q?Leo_Nikkil=C3=A4?= <hello@lnikki.la>
From: John Kehayias <john.kehayias@protonmail.com>
Subject: Re: bug#66428: [PATCH] gnu: libcue: Fix CVE-2023-43641.
Message-ID: <8734yg8u1y.fsf_-_@protonmail.com>
Feedback-ID: 7805494:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66428-done
Cc: 66428-done@debbugs.gnu.org, Bruno Victal <mirai@makinata.eu>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Leo and Bruno,

On Wed, Oct 11, 2023 at 11:20 PM, Leo Nikkil=C3=A4 wrote:

> Fixes CVE-2023-43641, see
> <https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gno=
me-cve-2023-43641/>
> for details.
>
> * gnu/packages/cdrom.scm (libcue): Update to 2.3.0.
> ---
>  gnu/packages/cdrom.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/cdrom.scm b/gnu/packages/cdrom.scm
> index de31002ac1..9eb8511e42 100644
> --- a/gnu/packages/cdrom.scm
> +++ b/gnu/packages/cdrom.scm
> @@ -551,7 +551,7 @@ (define-public dvdstyler
>  (define-public libcue
>    (package
>      (name "libcue")
> -    (version "2.2.1")
> +    (version "2.3.0")
>      (source (origin
>               (method git-fetch)
>               (uri (git-reference
> @@ -560,7 +560,7 @@ (define-public libcue
>               (file-name (git-file-name name version))
>               (sha256
>                (base32
> -               "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm")))=
)
> +               "1lkcj31fc0wjqr9lgr1ws6invx6ayvrk7v5kd9lm7956q1mi9ib4")))=
)
>      (build-system cmake-build-system)
>      (arguments
>       `(#:configure-flags '("-DBUILD_SHARED_LIBS=3DON")))
>
> base-commit: b4f2b681ad9c01b99f36d3c2f6af78234b41d745

Thanks for the quick work! Pushed as
2610166c37d19dbd00dbb860b1ac2de45f415b4d.



------------=_1697077022-8802-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 9 Oct 2023 20:18:21 +0000
Received: from localhost ([127.0.0.1]:33449 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qpwhm-00032y-16
	for submit@debbugs.gnu.org; Mon, 09 Oct 2023 16:18:21 -0400
Received: from lists.gnu.org ([2001:470:142::17]:50194)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <hello@lnikki.la>) id 1qpwhj-00032j-OP
 for submit@debbugs.gnu.org; Mon, 09 Oct 2023 16:18:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <hello@lnikki.la>) id 1qpwhJ-0001XT-4U
 for guix-patches@gnu.org; Mon, 09 Oct 2023 16:17:49 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <hello@lnikki.la>) id 1qpwhH-00028c-8L
 for guix-patches@gnu.org; Mon, 09 Oct 2023 16:17:48 -0400
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailout.nyi.internal (Postfix) with ESMTP id B99635C035D;
 Mon,  9 Oct 2023 16:17:43 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute1.internal (MEProxy); Mon, 09 Oct 2023 16:17:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lnikki.la; h=cc
 :cc:content-transfer-encoding:content-type:date:date:from:from
 :in-reply-to:message-id:mime-version:reply-to:sender:subject
 :subject:to:to; s=fm3; t=1696882663; x=1696969063; bh=ll9EZlxF+v
 bOYBkYgbqWMSMBWvoPaGP43ZN7aycdni4=; b=f0Cz6sq0wSLD79haELIFqtVdzO
 s6wgL7rWg26xS3/NzyDAeY8p/FDCNbGSRrYbsZs9BwAzs32d2EEpJaTsDT6ibKdV
 dt2qua5T1Sts7MW+Iu5wAEUTIwkCzC6h/T2o48TO/dvGwCO3S6elRKAtdENKtEcE
 EPWHbQ5NMhBwpMJCmQ7kT5ZNsoz90EEgkxfQ9WuurMOFaT4rwuv5gZZPrms8vnwu
 P3x/rZF5h1ityCKjxW1FKBiZOFiOUo5a0rXr7B5OEID/hMqcWz6dLvbrYXXLPp2X
 KkiXPKUJWGvyfY2HnDS/L+Qq26vtgfituBXy1TPqFeUm4koWLOzB7ebZyiIA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:date:date:feedback-id:feedback-id:from:from
 :in-reply-to:message-id:mime-version:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm2; t=1696882663; x=1696969063; bh=ll9EZlxF+vbOY
 BkYgbqWMSMBWvoPaGP43ZN7aycdni4=; b=cHw0gTXb6Ui5KxN1XEQRSxJ3xxMPT
 /7Nw/QnpvxSV7OLEalgt26alDyINJw/TK7VW5Cs5C+X4LyfdQApJoxu4T9PUPf8n
 1ChxrqeTJGZ5pKIoDuD+85wnrN2o06fHwjOh7y5fmjwtxVnI1xL06/0ZeN55DyyV
 uvxh6ONjuL7Wrp6r7sEipPfyEMek1dw9UjGndDIRsgi07veXrZFqVSmzu6XuOkhk
 g+ET6KvxtqGCz+O1TXD0ZEdh1ngDupRM98zhVoAqywU0I8yEajSvc4j12D4SuEPK
 ENrXbHyT7mgUFz2+rt3M71S8t9cMkXy6AWEHUqGyjaTFK55KtG/T9WkMg==
X-ME-Sender: <xms:518kZW8MbbNf2e-5OHiJWkv9OMie0AgFj10Qyn58PqLXr3y2EwrcCQ>
 <xme:518kZWsh5F4pE_HVbyWqeiNCC4BDv03BmaY747aY-ufC5InES8rQX83sVcrzMB1wv
 c8DfnQFUIJ9K0k6Taw>
X-ME-Received: <xmr:518kZcC0LO2aFz0Ph-dhzotC2ka-kh4N1OIJOWav3hR5dgYaS36upbGkBdXwoveniKF05KOmOoUFzZm371CyqL3_RtLHLxZkiZCKXBXy>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrheefgddugeejucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffkffoggfgsedtkeertd
 ertdejnecuhfhrohhmpefnvghoucfpihhkkhhilhomuceohhgvlhhloheslhhnihhkkhhi
 rdhlrgeqnecuggftrfgrthhtvghrnhepgeegieefleevfeeggfehtdejieehgfeivddvff
 ektdevtdeftdehgeeufffftefgnecuffhomhgrihhnpehgihhthhhusgdrsghlohhgnecu
 vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhgvlhhloh
 eslhhnihhkkhhirdhlrg
X-ME-Proxy: <xmx:518kZefhUIwq-c-ISC8DsM6APj_e2LfemLwbXeHglnIWwmMLjntHGA>
 <xmx:518kZbN9nThw19-P7hwf0SaWPjYVpmiXvk4t4qwdUK6x01MDkn6f5g>
 <xmx:518kZYnz5zWwVszpoAia6JJX6RYqfG_fkW_WJIuJR9WzF1ZiJIKJTw>
 <xmx:518kZQoIbRrgLKsMcM87moizKgM69oQnvZBrwYfUszy_Thmp0cBQZg>
Feedback-ID: i41f146a7:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 9 Oct 2023 16:17:42 -0400 (EDT)
From: =?utf-8?Q?Leo=20Nikkil=C3=A4?= <hello@lnikki.la>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: libcue: Fix CVE-2023-43641.
Date: Mon,  9 Oct 2023 23:15:44 +0300
Message-ID: <20231009201647.9891-1-hello@lnikki.la>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=66.111.4.25; envelope-from=hello@lnikki.la;
 helo=out1-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
Cc: =?UTF-8?q?Leo=20Nikkil=C3=A4?= <hello@lnikki.la>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Fixes a vulnerability in libcue that can result in a nasty RCE exploit
under GNOME:

https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/

* gnu/packages/patches/libcue-CVE-2023-43641.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/cdrom.scm (libcue)[source]: Use it.
---
 gnu/local.mk                                   |  1 +
 gnu/packages/cdrom.scm                         |  3 ++-
 .../patches/libcue-CVE-2023-43641.patch        | 18 ++++++++++++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/libcue-CVE-2023-43641.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c481aa153a..ff40cf7a9b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1517,6 +1517,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \
   %D%/packages/patches/libcanberra-wayland-crash.patch \
   %D%/packages/patches/libcroco-CVE-2020-12825.patch		\
+  %D%/packages/patches/libcue-CVE-2023-43641.patch		\
   %D%/packages/patches/libcyaml-libyaml-compat.patch		\
   %D%/packages/patches/libexpected-use-provided-catch2.patch	\
   %D%/packages/patches/libgda-cve-2021-39359.patch		\
diff --git a/gnu/packages/cdrom.scm b/gnu/packages/cdrom.scm
index de31002ac1..d06fe068db 100644
--- a/gnu/packages/cdrom.scm
+++ b/gnu/packages/cdrom.scm
@@ -560,7 +560,8 @@ (define-public libcue
              (file-name (git-file-name name version))
              (sha256
               (base32
-               "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm"))))
+               "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm"))
+             (patches (search-patches "libcue-CVE-2023-43641.patch"))))
     (build-system cmake-build-system)
     (arguments
      `(#:configure-flags '("-DBUILD_SHARED_LIBS=ON")))
diff --git a/gnu/packages/patches/libcue-CVE-2023-43641.patch b/gnu/packages/patches/libcue-CVE-2023-43641.patch
new file mode 100644
index 0000000000..640c197981
--- /dev/null
+++ b/gnu/packages/patches/libcue-CVE-2023-43641.patch
@@ -0,0 +1,18 @@
+Fix CVE-2023-43641:
+https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
+
+Patch from the disclosure post.
+
+diff --git a/cd.c b/cd.c
+index cf77a18..4bbea19 100644
+--- a/cd.c
++++ b/cd.c
+@@ -339,7 +339,7 @@ track_get_rem(const Track* track)
+ 
+ void track_set_index(Track *track, int i, long ind)
+ {
+-	if (i > MAXINDEX) {
++	if (i < 0 || i > MAXINDEX) {
+ 		fprintf(stderr, "too many indexes\n");
+                 return;
+         }

base-commit: 7937c8827b8d23347a3159b4696335bd19fc17aa
-- 
2.41.0




------------=_1697077022-8802-1--