test-run: Add a reproducer for CVE-2024-32462

Signed-off-by: Simon McVittie <smcv@collabora.com>
2026-04-03 06:47:19 -04:00 · 2024-04-16 10:50:00 +01:00
parent b7c1a558e5
commit 4fa5156efb
1 changed files with 10 additions and 1 deletions
--- a/tests/test-run.sh
+++ b/tests/test-run.sh
@@ -24,7 +24,7 @@ set -euo pipefail
 skip_without_bwrap
 skip_revokefs_without_fuse

-echo "1..20"
+echo "1..21"

 # Use stable rather than master as the branch so we can test that the run
 # command automatically finds the branch correctly
@@ -76,6 +76,15 @@ assert_file_has_content hello_out '^Hello world, from a sandbox$'

 ok "hello"

+# This should try and fail to run e.g. /usr/bin/--tmpfs, which will
+# exit with status 127 because there is no such executable.
+# It should not pass "--tmpfs /blah hello.sh" as bwrap options.
+exit_status=0
+run --command=--tmpfs org.test.Hello /blah hello.sh >&2 || exit_status=$?
+assert_not_streq "$exit_status" 0
+
+ok "avoided CVE-2024-32462"
+
 # XDG_RUNTIME_DIR is set to <temp directory>/runtime by libtest.sh,
 # so we always have the necessary setup to reproduce #4372
 assert_not_streq "$XDG_RUNTIME_DIR" "/run/user/$(id -u)"