Skip to content

"--new-session" underadvertised and CVE-2017-5226 still a thing in 2023 by default? #555

Open
@hartwork

Description

Hi!

Thanks for making bubblewrap and sharing it as Software Libre! 🙏

Someone pointed out the importance of --new-session on Hacker News and I'm in debt to them for speaking up about it both personally and with sandwine. They go on saying:

[..] Bubblewrap is aware of this, yet their documentation gives no indication that this flag is necessary to produce a secure sandbox. In --help, the documentation of --new-session is simply "Create a new terminal session," which severely understates its importance. [..]

I checked the main readme for mentions of --new-session and found no matches and checked the help output and it doesn't mention security implecations. The man page has something but why check the man page if --help seemed to answer the questions you new you had. So there really was no place other than Hacker News educating me prior to first usage and I could not even heard of --new-session still, realistically.
After seeing the CVE-2017-5226 demo from #142 (thanks!) work on my own terminal (scary!), including stealth mode with echo off, I agree that --new-session needs more user attention and/or become default. Maybe it needs a counter-part --same-session also so that --new-session can become the default at some point in the future if #150 is not being implemented — the latest reply there is off 2017. The warning idea from #162 — also of 2017 — will help with user education (which is good) but would come too late if bubblewrap is run behind the scenes rather than manually by the user.

Any chance for motion in that direction?

Thanks and best, Sebastian

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions