In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.
Weakness
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B’s state.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Flatpak | Flatpak | * | 0.8.9 (excluding) |
| Flatpak | Flatpak | 0.9.1 (including) | 0.9.99 (including) |
| Flatpak | Flatpak | 0.10.0 (including) | 0.10.3 (excluding) |
| Red Hat Enterprise Linux 7 | RedHat | flatpak-0:0.8.8-4.el7_5 | * |
| Flatpak | Ubuntu | artful | * |
| Flatpak | Ubuntu | upstream | * |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/105.html
- https://cwe.mitre.org/data/definitions/273.html
- https://cwe.mitre.org/data/definitions/34.html
References
- https://access.redhat.com/errata/RHSA-2018:2766
- https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6
- https://github.com/flatpak/flatpak/releases/tag/0.10.3
- https://github.com/flatpak/flatpak/releases/tag/0.8.9
- https://access.redhat.com/errata/RHSA-2018:2766
- https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6
- https://github.com/flatpak/flatpak/releases/tag/0.10.3
- https://github.com/flatpak/flatpak/releases/tag/0.8.9