This software relic from the CD era could put your entire PC at risk

A patch is already available, though.

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

If, for whatever strange reason, you find yourself in need of running .cue files on a Linux environment with a GNOME desktop, be careful. The files could be marred with malicious code that allows threat actors to execute code on the targetendpoint.

The warning was issued by GitHub after the software development platform recently disclosed the existence of a memory corruption flaw in the libcue library which parses cue sheets.

It’s being tracked as CVE-2023-43641, and while not yet official, it comes with a severity score of 8.8 (High).

Testing the flaw

Testing the flaw

Cue files are metadata files used to describe tracks found in a CD, or a DVD. GNOME desktops,ArsTechnicaexplains, have a “tracker miner” that automatically updates when file locations in a user’s home directory change. Should a user download a cue sheet with malicious code, GNOME’s indexing tracker would run it and execute the code, essentially compromising the endpoint.

Luckily, a patch is already available, so Linux users with GNOME-based distributions should apply it to secure their endpoints, as soon as possible. The earliest secure version is 2.3.0.

GitHub Security Lab member, Kevin Backhouse, recorded a video to show how the bug works, but hasn’t released a proof-of-concept (PoC) just yet, Ars Technica further explained. Users can test their systems for the vulnerability via a test cue sheet Backhouse developed which shouldn’t cause too much trouble other than a “benign crash”.

Backhouse is known for discovering vulnerabilities in Linux. Before finding CVE-2023-43641, he discovered flaws allowing standard users to become admins with just a few commands, and a Polkit flaw that grants attackers root access. Although making up but a tiny portion of the overall OS market, Linux is a loved and widely usedoperating system, especially among servers, IoT gear, and mobile devices.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

How to watch Wolf Hall: The Mirror and the Light FREE online from anywhere