From 4fa5156efb384c3ceca61c28c853f392d4fcaa3a Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Tue, 16 Apr 2024 10:50:00 +0100 Subject: [PATCH] test-run: Add a reproducer for CVE-2024-32462 Signed-off-by: Simon McVittie --- tests/test-run.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/test-run.sh b/tests/test-run.sh index 7138bc64..d124c517 100644 --- a/tests/test-run.sh +++ b/tests/test-run.sh @@ -24,7 +24,7 @@ set -euo pipefail skip_without_bwrap skip_revokefs_without_fuse -echo "1..20" +echo "1..21" # Use stable rather than master as the branch so we can test that the run # command automatically finds the branch correctly @@ -76,6 +76,15 @@ assert_file_has_content hello_out '^Hello world, from a sandbox$' ok "hello" +# This should try and fail to run e.g. /usr/bin/--tmpfs, which will +# exit with status 127 because there is no such executable. +# It should not pass "--tmpfs /blah hello.sh" as bwrap options. +exit_status=0 +run --command=--tmpfs org.test.Hello /blah hello.sh >&2 || exit_status=$? +assert_not_streq "$exit_status" 0 + +ok "avoided CVE-2024-32462" + # XDG_RUNTIME_DIR is set to /runtime by libtest.sh, # so we always have the necessary setup to reproduce #4372 assert_not_streq "$XDG_RUNTIME_DIR" "/run/user/$(id -u)"