Conda-Build Arbitrary Code Execution Vulnerability via Malicious Recipe Selectors

A vulnerability in conda-build versions prior to 25.4.0 allows for arbitrary code execution through the unsafe evaluation of recipe selectors in meta.yaml files. The conda-build tool, used for creating conda packages, processes embedded selectors by evaluating user-defined expressions with the eval function. This method lacks proper input sanitization, enabling the execution of malicious code during the package build process. Consequently, the integrity of the build environment is compromised, potentially allowing unauthorized commands or file operations. The vulnerability arises from the risky use of eval() on untrusted input, creating a pathway for executing arbitrary code under the guise of recipe selector logic.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the conda-build environment, potentially leading to unauthorized actions or modifications to the file system.

Reproduction

To reproduce this vulnerability, create a conda recipe that includes a meta.yaml file with a selector expression designed to execute arbitrary code. The conda-build command will evaluate the selector, executing the embedded code. For example, a selector could be crafted to run a system command that writes a file containing the command's output.

Remediation

Users can upgrade to conda-build version 25.4.0 or later, where this vulnerability has been patched.