Flatpak metadata with ANSI control codes can cause misleading terminal output

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4, if an attacker publishes a Flatpak app with elevated permissions, they can hide those permissions from users of the `flatpak(1)` command-line interface by setting other permissions to crafted values that contain non-printable control characters such as `ESC`. A fix is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUI like GNOME Software rather than the command-line interface, or only install apps whose maintainers you trust.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

对输出编码和转义不恰当

Flatpak 安全漏洞

Flatpak是一套用于Linux桌面应用计算机环境的应用程序虚拟化系统。 Flatpak 1.10.8之前版本、1.12.x版本至1.12.8版本、1.14.x版本至1.14.4版本、1.15.x版本至1.15.4版本存在安全漏洞。攻击者利用该漏洞可以提升权限。

N/A

N/A