GHSL-2023-197: Out-of-bounds array access in libcue- CVE-2023-43641

Coordinated Disclosure Timeline

• 2023-09-19: Sent email to @lipnitsk, the maintainer of libcue.
• 2023-09-19: Notified Ubuntu’s security team: https://bugs.launchpad.net/ubuntu/+source/libcue/+bug/2036595
• 2023-09-21: Created an issue on the libcue repository: https://github.com/lipnitsk/libcue/issues/24
• 2023-09-21: Notified GNOME: https://gitlab.gnome.org/GNOME/tracker-miners/-/issues/277
• 2023-09-25: CVE-2023-43641 assigned by GitHub Security Lab’s advisory curation team.
• 2023-09-26: Sent the report and poc to the Distros list. We have agreed that the vulnerability will be disclosed at 2023-10-09T17:00:00+00:00.
• 2023-09-27: Sent a follow-up email to @lipnitsk.
• 2023-09-27: @lipnitsk enabled private vulnerability reporting on the libcue repository.
• 2023-09-27: Created https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj
• 2023-10-09: Disclosed

Summary

libcue is a library for parsing CUE sheet files. A malicious file can trigger an out-of-bounds array access in the track_set_index function.

Project

libcue

Tested Version

2.2.1

Details

Out of bounds array access in track_set_index (GHSL-2023-197)

The function track_set_index does not check that i >= 0:

void track_set_index(Track *track, int i, long ind)
{
	if (i > MAXINDEX) {
		fprintf(stderr, "too many indexes\n");
                return;
        }

	track->index[i] = ind;
}

If i is negative, then this code can write to an address outside the bounds of the array.

The value of i is parsed using atoi in cue_scanner.l:

[[:digit:]]+	{ yylval.ival = atoi(yytext); return NUMBER; }

atoi does not check for integer overflow, so it is easy to get it produce a negative number.

This is an example CUE file which triggers the bug:

FILE pwned.mp3 MP3
TRACK 000 AUDIO
INDEX 4294567296 0

The index 4294567296 is converted to -400000 by atoi.

Impact

This issue may lead to code execution when libcue is used to parse a malicious file.

Credit

This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-197 in any communication regarding this issue.