bwrap.xml: Mention CVE-2017-5226 with --new-session

Signed-off-by: Sebastian Pipping <sebastian@pipping.org>
2023-03-05 00:38:51 +01:00
parent 9b246d4297
commit 35e6b2a698
1 changed files with 3 additions and 1 deletions
--- a/bwrap.xml
+++ b/bwrap.xml
@@ -464,7 +464,9 @@
        </para><para>
        Note: In a general sandbox, if you don't use --new-session, it is
        recommended to use seccomp to disallow the TIOCSTI ioctl, otherwise
-        the application can feed keyboard input to the terminal.
+        the application can feed keyboard input to the terminal
+        which can e.g. lead to out-of-sandbox command execution
+        (see CVE-2017-5226).
      </para></listitem>
    </varlistentry>
    <varlistentry>