Homepage

Improper Input Validation Affecting flatpak package, versions <1.2.3-2

Severity

 Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.21% (60th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN13-FLATPAK-5680263
  • published26 Mar 2019
  • disclosed26 Mar 2019
Report a new vulnerability Found a mistake?

Introduced: 26 Mar 2019

CVE-2019-10063  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade Debian:13 flatpak to version 1.2.3-2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream flatpak package and not the flatpak package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.