| Message ID | 20231009201647.9891-1-hello@lnikki.la |
|---|---|
| State | New |
| Headers | show |
| Series | [bug#66428] gnu: libcue: Fix CVE-2023-43641. | expand |
Hi Leo, I see that libcue 2.3.0 has been recently released to address this. How about updating the package instead?
> How about updating the package instead?
Thanks for the heads up! I saw it took a while to cut the release, and
other distros like Arch resorted to patching in the meantime. Here's a
new patch to just update the package.
Hi Leo and Bruno, On Wed, Oct 11, 2023 at 11:20 PM, Leo Nikkilä wrote: > Fixes CVE-2023-43641, see > <https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/> > for details. > > * gnu/packages/cdrom.scm (libcue): Update to 2.3.0. > --- > gnu/packages/cdrom.scm | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/gnu/packages/cdrom.scm b/gnu/packages/cdrom.scm > index de31002ac1..9eb8511e42 100644 > --- a/gnu/packages/cdrom.scm > +++ b/gnu/packages/cdrom.scm > @@ -551,7 +551,7 @@ (define-public dvdstyler > (define-public libcue > (package > (name "libcue") > - (version "2.2.1") > + (version "2.3.0") > (source (origin > (method git-fetch) > (uri (git-reference > @@ -560,7 +560,7 @@ (define-public libcue > (file-name (git-file-name name version)) > (sha256 > (base32 > - "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm")))) > + "1lkcj31fc0wjqr9lgr1ws6invx6ayvrk7v5kd9lm7956q1mi9ib4")))) > (build-system cmake-build-system) > (arguments > `(#:configure-flags '("-DBUILD_SHARED_LIBS=ON"))) > > base-commit: b4f2b681ad9c01b99f36d3c2f6af78234b41d745 Thanks for the quick work! Pushed as 2610166c37d19dbd00dbb860b1ac2de45f415b4d.
diff --git a/gnu/local.mk b/gnu/local.mk index c481aa153a..ff40cf7a9b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1517,6 +1517,7 @@ dist_patch_DATA = \ %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \ %D%/packages/patches/libcanberra-wayland-crash.patch \ %D%/packages/patches/libcroco-CVE-2020-12825.patch \ + %D%/packages/patches/libcue-CVE-2023-43641.patch \ %D%/packages/patches/libcyaml-libyaml-compat.patch \ %D%/packages/patches/libexpected-use-provided-catch2.patch \ %D%/packages/patches/libgda-cve-2021-39359.patch \ diff --git a/gnu/packages/cdrom.scm b/gnu/packages/cdrom.scm index de31002ac1..d06fe068db 100644 --- a/gnu/packages/cdrom.scm +++ b/gnu/packages/cdrom.scm @@ -560,7 +560,8 @@ (define-public libcue (file-name (git-file-name name version)) (sha256 (base32 - "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm")))) + "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm")) + (patches (search-patches "libcue-CVE-2023-43641.patch")))) (build-system cmake-build-system) (arguments `(#:configure-flags '("-DBUILD_SHARED_LIBS=ON"))) diff --git a/gnu/packages/patches/libcue-CVE-2023-43641.patch b/gnu/packages/patches/libcue-CVE-2023-43641.patch new file mode 100644 index 0000000000..640c197981 --- /dev/null +++ b/gnu/packages/patches/libcue-CVE-2023-43641.patch @@ -0,0 +1,18 @@ +Fix CVE-2023-43641: +https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/ + +Patch from the disclosure post. + +diff --git a/cd.c b/cd.c +index cf77a18..4bbea19 100644 +--- a/cd.c ++++ b/cd.c +@@ -339,7 +339,7 @@ track_get_rem(const Track* track) + + void track_set_index(Track *track, int i, long ind) + { +- if (i > MAXINDEX) { ++ if (i < 0 || i > MAXINDEX) { + fprintf(stderr, "too many indexes\n"); + return; + }