=====================================================================

                                CERT-Renater

                      Note d'Information No. 2023/VULN401

_____________________________________________________________________

DATE                : 12/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running libcue versions prior to 2.3.0.

=====================================================================
https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj
_____________________________________________________________________

Out-of-bounds array access in track_set_index

Moderate
lipnitsk published GHSA-5982-x7hv-r9cj
Package
libcue

Affected versions
<= 2.2.1

Patched versions
2.3.0


Description

Summary

An out-of-bounds array access can occur in track_set_index.
Details

The function track_set_index does not check that i >= 0:

void track_set_index(Track *track, int i, long ind)
{
	if (i > MAXINDEX) {
		fprintf(stderr, "too many indexes\n");
                 return;
         }

	track->index[i] = ind;
}

If i is negative, then this code can write to an address outside
the bounds of the array.

The value of i is parsed using atoi in cue_scanner.l:

[[:digit:]]+	{ yylval.ival = atoi(yytext); return NUMBER; }

atoi does not check for integer overflow, so it is easy to get it
produce a negative number.


PoC

This is an example CUE file which triggers the bug:

FILE pwned.mp3 MP3
TRACK 000 AUDIO
INDEX 4294567296 0

The index 4294567296 is converted to -400000 by atoi.


Impact

This issue may lead to code execution when libcue is used to
parse a malicious file.


Severity
Moderate

5.3/ 10

CVSS base metrics

Attack vector
Local

Attack complexity
Low

Privileges required
None

User interaction
Required

Scope
Unchanged

Confidentiality
Low

Integrity
Low

Availability
Low

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVE ID
CVE-2023-43641

Weaknesses
CWE-129


Credits

     @kevinbackhouse kevinbackhouse Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================