vulnerability in libcue (GHSL-2023-197, CVE-2023-43641) affects tracker-extract, exploit for libcue CVE is able to escape tracker-miners sandbox (CVE-2023-5557)
I've found a bug in libcue, which is one of tracker-extract's dependencies. I want to make you aware of it because it can lead to code execution in tracker-extract. I have attached two versions of the poc, one for Ubuntu 23.04 and one for Fedora 38. Downloading the file triggers code execution and pops a calculator (when everything works). Just downloading the file is sufficient to trigger the bug because tracker-extract automatically runs on new files in the ~/Downloads directory and the '.cue' filename extension triggers the vulnerable libcue code path.
I have separately reported the vulnerability to the maintainer of the libcue library (https://github.com/lipnitsk/libcue), but I have not heard back from them yet. libcue was last updated in 2018 so I'm not sure if it's still actively maintained. I have also already notified Ubuntu's security team, but have since realized that this probably affects all distributions that run the GNOME desktop.
Kevin Backhouse GitHub Security Lab