Conda-Build Temporary Script Permission Vulnerability Allowing Arbitrary Code Execution

A vulnerability in Conda-Build versions prior to 25.3.1 allows for arbitrary code execution by exploiting a race condition. The issue arises because the 'write_build_scripts' function creates a temporary build script, 'conda_build.sh', with overly permissive file permissions (0o766), granting write access to all users. In shared environments, attackers with filesystem access can overwrite the script before it is executed, executing arbitrary code under the victim's privileges. This vulnerability is particularly concerning in multi-user systems and CI/CD pipelines, where it could lead to full system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary code execution under the privileges of the user running the Conda-Build process. In shared environments, this could result in a complete system compromise.

Reproduction

To reproduce this vulnerability, create a Conda package recipe that includes a build script. When the package is built using Conda-Build versions prior to 25.3.1, the temporary build script 'conda_build.sh' will be created with permissions that allow all users to write to it. An attacker can then exploit the race condition by overwriting the script before it is executed, leading to arbitrary code execution.

Remediation

Users can upgrade to Conda-Build version 25.3.1 or later, where this vulnerability has been patched. Alternatively, the permissions of the 'conda_build.sh' script can be manually restricted from 0o766 to 0o700, allowing only the owner to read, write, and execute the file. For an additional layer of protection, use atomic file creation by writing to a temporary randomized filename and renaming it atomically to reduce the risk of exploitation.