CVE-2018-6560

NameCVE-2018-6560
DescriptionIn dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs888842

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
flatpak (PTS)stretch0.8.9-0+deb9u3fixed
stretch (security), stretch (lts)0.8.9-0+deb9u2fixed
buster (security), buster, buster (lts)1.2.5-0+deb10u4fixed
bullseye (security), bullseye1.10.8-0+deb11u2fixed
bookworm (security), bookworm1.14.10-1~deb12u1fixed
sid, trixie1.14.10-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
flatpaksourcestretch0.8.9-0+deb9u1
flatpaksource(unstable)0.10.3-1888842

Notes

https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6
Search for package or bug name: Reporting problems