abuild: bwrap: use --new-session to mitigate TIOCSTI escape (CVE-2017-5226) (!187) · Merge requests · alpine / abuild

Ariadne Conill requested to merge ariadne/abuild:cve-2017-5226-mitigation into master Mar 14, 2023

Bubblewrap has an under-documented option which helps to protect against abuse of TIOCSTI ioctls against the session PTY to escape the build sandbox, the --new-session option.

Related: https://github.com/containers/bubblewrap/issues/555

Related: https://github.com/containers/bubblewrap/issues/142

Related: https://news.ycombinator.com/item?id=30825088

Signed-off-by: Ariadne Conill ariadne@dereferenced.org

Edited Mar 14, 2023 by Ariadne Conill

abuild: bwrap: use --new-session to mitigate TIOCSTI escape (CVE-2017-5226)

Merge request reports