CVE-2018-6560

NameCVE-2018-6560
DescriptionIn dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs888842

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
flatpak (PTS)stretch0.8.7-2~deb9u1vulnerable
stretch (security)0.8.5-2+deb9u1vulnerable
buster, sid0.10.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
flatpaksource(unstable)0.10.3-1888842

Notes

[stretch] - flatpak <no-dsa> (Minor issue; will be fixed via point release)
https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6

Search for package or bug name: Reporting problems