Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641)

A memory corruption vulnerability, CVE-2023-43641, has been identified in libcue, a library used to parse cue sheets, which are metadata formats often associated with the FLAC audio file format. Discovered by the GitHub Security Lab in coordination with Ilya Lipnitskiy, this vulnerability can be exploited particularly when used by tracker-miners, a GNOME application that indexes files in a user's home directory, making them searchable. The vulnerability stems from how libcue handles the INDEX syntax in cue sheets, allowing for an integer overflow that can lead to code execution if a malicious cue sheet is downloaded and automatically scanned. The vulnerability is exacerbated by tracker-miners' automated file scanning process, which can execute the exploit simply by downloading a file into the ~/Downloads directory. Although tracker-miners is not directly vulnerable, its use of libcue increases the impact, particularly for systems running GNOME. The GitHub Security Lab team is withholding the full proof of concept to allow time for users to patch their systems, with a simpler version available that causes a benign crash. This issue highlights the importance of seemingly minor libraries in broader security contexts and the need for timely updates to maintain system security.