A flaw in the libcue library is leaving Linux users that use the Gnome desktop vulnerable to a remote code execution exploit.
The flaw exploits libcue’s inclusion in tracker-miners, Gnome’s file indexing service. According to the National Vulnerability Database, an attacker could use a maliciously coded “cue sheet” to trigger the flaw and execute code remotely.
libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to
~/Downloads, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution.
The vulnerability has been given a score of 8.8, or High. At the time of writing, there is no workaround and users are encouraged to upgrade to the newest version once it becomes available.