Search Tools Links Login

Critical Vulnerability in GNOME Desktop: Immediate Update Advised


A significant flaw in the open-source libcue library may enable attackers to run random code on Linux machines that use the GNOME desktop interface.

libcue, responsible for interpreting cue sheet files, is incorporated in the Tracker Miners metadata indexer, a default feature in recent GNOME editions. CUE files detail CD audio track configurations, often accompanying FLAC audio files.

GNOME is the chosen desktop interface for numerous Linux versions, including Debian, Ubuntu, Fedora, Red Hat Enterprise, and SUSE Linux Enterprise.

This vulnerability (CVE-2023-43641) permits attackers to run malicious code by utilizing Tracker Miners, which routinely updates the search index on GNOME Linux devices. For the flaw to be exploited, a user would need to download a malevolent .CUE file, stored in their ~/Downloads directory. The vulnerability activates when Tracker Miners auto-processes the stored file.

GitHub security expert, Kevin Backhouse, who identified this bug, emphasized, "The vulnerability in libcue makes tracker-miners susceptible to a 1-click RCE. All GNOME users should update immediately." He also pointed out that merely clicking a harmful link could make a system vulnerable.

Although Backhouse exhibited a demonstration of the flaw, the actual release will be delayed to allow GNOME users time to update. He highlighted the exploit's efficacy on Ubuntu 23.04 and Fedora 38 but believes all GNOME-utilizing distributions are potentially at risk.

Administrators are urged to implement patches to counteract the threat, especially given the popularity of Linux distributions like Debian, Fedora, and Ubuntu.

Historically, Backhouse has identified other pressing Linux security lapses, including issues in the GNOME Display Manager and the polkit auth system service, prevalent in most modern Linux platforms.

In a related development, proof-of-concept exploits for the high-risk 'Looney Tunables' flaw in the GNU C Library's dynamic loader (CVE-2023-4911) have emerged, potentially allowing attackers elevated privileges on prominent Linux systems.

About this post

Posted: 2023-10-11
By: dwirch
Viewed: 176 times

Categories

Security

News

Linux

Attachments

No attachments for this post


Loading Comments ...

Comments

No comments have been added for this post.

You must be logged in to make a comment.