Bug 2242943

Summary: 1-Click RCE Exploit in Libcue (CVE-2023-43641)
Product: [Fedora] Fedora Reporter: Daniel Milnes <daniel>
Component: libcueAssignee: Peter Lemenkov <lemenkov>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: alex, awilliam, bugzilla, ego.cordatus, kparal, lemenkov, redhat-bugzilla, robatino
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: libcue-2.2.1-13.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-11 18:50:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2143446    

Description Daniel Milnes 2023-10-09 20:51:48 UTC 
Apologies if there is already a tracker bug for this, I couldn't find one.

The GitHub Security team have disclosed CVE-2023-43641, which is a memory corruption bug in libcue. Kevin Backhouse from GitHub has done a great writeup on https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/

Short summary: When you download a file to ~/Downloads, tracker-miners tries to parse it with libcue. libcue is not properly validating the input, and this allows an attacker to execute arbitrary code.

Fedora 39/40 already has the patched version of tracker-miners (https://bodhi.fedoraproject.org/updates/FEDORA-2023-8277fcd2c6). I'm going to raise a bug on their side and suggest they backport the fix.

I'm also planning to raise a PR on libcue to apply Kevin's patch, and apply for a 39 FinalFreezeException for it.
Comment 1 Fedora Blocker Bugs Application 2023-10-09 21:20:13 UTC 
Proposed as a Freeze Exception for 39-final by Fedora user thebeanogamer using the blocker tracking app because:

 This vulnerability allows an attacker to take execute arbitrary code on a user's device by downloading a file. tracker-miners have hardened their side, but we should deploy the real fix.

As this can be fixed by a package update, and we don't run Gnome in the installer, I've got for FE instead of Blocker. I'm happy to update this if incorrect.
Comment 2 Daniel Milnes 2023-10-09 21:22:22 UTC 
See above, I've raised a BlockerBug for this.

https://src.fedoraproject.org/rpms/libcue/pull-request/2 should be ready to merge. As mentioned on there, I'd recommend applying this to every branch.

I've also created bug 2242946 to cover the tracker-miners side.

Please let me know if there's anything else I can do to help with this.
Comment 3 Adam Williamson 2023-10-10 16:10:42 UTC 
+5 in https://pagure.io/fedora-qa/blocker-review/issue/1395 , marking accepted FE. This may even be a blocker - we do have the GNOME-based Workstation live image, after all, and it *is* possible to use the live image as a working environment.
Comment 4 Adam Williamson 2023-10-10 16:13:31 UTC 
Gonna at least propose this as a blocker for now, so we remember to consider it before shipping anything.
Comment 5 Daniel Milnes 2023-10-10 22:05:19 UTC 
*** Bug 2243014 has been marked as a duplicate of this bug. ***
Comment 6 Fedora Update System 2023-10-10 23:13:40 UTC 
FEDORA-2023-1fe05ac8d9 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-1fe05ac8d9
Comment 7 Fedora Update System 2023-10-10 23:13:41 UTC 
FEDORA-2023-eec9ce5935 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-eec9ce5935
Comment 8 Fedora Update System 2023-10-10 23:13:43 UTC 
FEDORA-2023-f4e74a94a2 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f4e74a94a2
Comment 9 Fedora Update System 2023-10-11 01:51:33 UTC 
FEDORA-2023-f4e74a94a2 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-f4e74a94a2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-f4e74a94a2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2023-10-11 02:32:54 UTC 
FEDORA-2023-1fe05ac8d9 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-1fe05ac8d9`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-1fe05ac8d9

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2023-10-11 02:37:31 UTC 
FEDORA-2023-eec9ce5935 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-eec9ce5935`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-eec9ce5935

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 12 Adam Williamson 2023-10-11 16:10:48 UTC 
+9 blocker in https://pagure.io/fedora-qa/blocker-review/issue/1395 , marking accepted. This supersedes FE status, so clearing that.
Comment 13 Fedora Update System 2023-10-11 18:50:58 UTC 
FEDORA-2023-f4e74a94a2 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 14 Fedora Update System 2023-10-12 01:45:24 UTC 
FEDORA-2023-eec9ce5935 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 15 Fedora Update System 2023-10-13 01:33:35 UTC 
FEDORA-2023-1fe05ac8d9 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.