From 35e6b2a6982fd167793a267bbb855190a4c6eed2 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 5 Mar 2023 00:38:51 +0100
Subject: bwrap.xml: Mention CVE-2017-5226 with --new-session

Signed-off-by: Sebastian Pipping <sebastian@pipping.org>
---
 bwrap.xml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/bwrap.xml b/bwrap.xml
index adc4641..81331de 100644
--- a/bwrap.xml
+++ b/bwrap.xml
@@ -464,7 +464,9 @@
         </para><para>
         Note: In a general sandbox, if you don't use --new-session, it is
         recommended to use seccomp to disallow the TIOCSTI ioctl, otherwise
-        the application can feed keyboard input to the terminal.
+        the application can feed keyboard input to the terminal
+        which can e.g. lead to out-of-sandbox command execution
+        (see CVE-2017-5226).
       </para></listitem>
     </varlistentry>
     <varlistentry>
-- 
cgit v1.2.1