CVE-2019-10063

EUVD-2019-2124
Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9 CRITICAL
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Affected Products (NVD)
VendorProductVersion
flatpakflatpak
𝑥
< 1.0.8
flatpakflatpak
1.1.0 ≤
𝑥
≤ 1.1.3
flatpakflatpak
1.2.0 ≤
𝑥
< 1.2.4
flatpakflatpak
1.3.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
flatpak
bookworm
1.14.10-1~deb12u1
fixed
bookworm (security)
1.14.10-1~deb12u1
fixed
bullseye
1.10.8-0+deb11u2
fixed
bullseye (security)
1.10.8-0+deb11u2
fixed
sid
1.14.10-1
fixed
trixie
1.14.10-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
flatpak
bionic
Fixed 1.0.8-0ubuntu0.18.04.1
released
cosmic
Fixed 1.0.8-0ubuntu0.18.10.1
released
disco
not-affected
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2019:1024
https://access.redhat.com/errata/RHSA-2019:1143
https://github.com/flatpak/flatpak/issues/2782
https://access.redhat.com/errata/RHSA-2019:1024
https://access.redhat.com/errata/RHSA-2019:1143
https://github.com/flatpak/flatpak/issues/2782