From 3f2f8851fcff28d5da98fa4313cfc1522fad3345 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 9 Jan 2017 17:46:07 +0000 Subject: [PATCH] Call setsid() before executing sandboxed code (CVE-2017-5226) This prevents the sandboxed code from getting a controlling tty, which in turn prevents it from accessing the TIOCSTI ioctl and hence faking terminal input. Fixes: #142 --- bubblewrap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bubblewrap.c b/bubblewrap.c index 6e044593..4b5b8e65 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -2071,6 +2071,9 @@ main (int argc, /* We want sigchild in the child */ unblock_sigchild (); + if (setsid () == (pid_t) -1) + die_with_error ("setsid"); + if (label_exec (opt_exec_label) == -1) die_with_error ("label_exec %s", argv[0]);