bwrap.xml: Mention CVE-2017-5226 with --new-session

Signed-off-by: Sebastian Pipping <[email protected]>
containers · Mar 5, 2023 · 2077ec7 · 2077ec7
1 parent 8280501
commit 2077ec7
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/bwrap.xml b/bwrap.xml
@@ -463,7 +463,9 @@
         </para><para>
         Note: In a general sandbox, if you don't use --new-session, it is
         recommended to use seccomp to disallow the TIOCSTI ioctl, otherwise
-        the application can feed keyboard input to the terminal.
+        the application can feed keyboard input to the terminal
+        which can e.g. lead to out-of-sandbox command execution
+        (see CVE-2017-5226).
       </para></listitem>
     </varlistentry>
     <varlistentry>