test-run: Add a reproducer for CVE-2024-32462

Signed-off-by: Simon McVittie <smcv@collabora.com>
2026-01-30 02:21:17 -05:00 · 2024-04-16 10:50:00 +01:00
parent c777f818b9
commit 84984e4948
1 changed files with 10 additions and 1 deletions
--- a/tests/test-run.sh
+++ b/tests/test-run.sh
@@ -24,7 +24,7 @@ set -euo pipefail
 skip_without_bwrap
 skip_revokefs_without_fuse

-echo "1..21"
+echo "1..22"

 # Use stable rather than master as the branch so we can test that the run
 # command automatically finds the branch correctly
@@ -76,6 +76,15 @@ assert_file_has_content hello_out '^Hello world, from a sandbox$'

 ok "hello"

+# This should try and fail to run e.g. /usr/bin/--tmpfs, which will
+# exit with status 127 because there is no such executable.
+# It should not pass "--tmpfs /blah hello.sh" as bwrap options.
+exit_status=0
+run --command=--tmpfs org.test.Hello /blah hello.sh >&2 || exit_status=$?
+assert_not_streq "$exit_status" 0
+
+ok "avoided CVE-2024-32462"
+
 true > value-in-sandbox
 head value-in-sandbox >&2
 run_sh org.test.Hello 'echo fd passthrough >&5' 5>value-in-sandbox