Conda-Forge CI Setup Arbitrary Code Execution Vulnerability via Insecure Version Parsing

A vulnerability allowing arbitrary code execution has been identified in the conda-forge CI setup package, specifically in versions through 4.14.4. The issue arises from the unsafe use of the eval function in the setup script, which improperly parses version information from a custom-formatted meta.yaml file. An attacker can inject malicious code into the version assignment, which is executed during the processing of the file. Exploitation requires the attacker to modify the recipe file by manipulating the RECIPE_DIR variable and introducing a malicious meta.yaml file. While this scenario is more likely to occur in CI/CD pipelines, it is rare in typical environments, which lowers the overall risk.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where the conda-forge CI setup is being processed.

Reproduction

To reproduce this vulnerability, create a malicious meta.yaml file that includes a version injection payload. Set the RECIPE_DIR environment variable to point to the location of this file. When the setup.py script is executed, the injected code will be executed, demonstrating the arbitrary code execution vulnerability.

Remediation

Users can upgrade to version 4.15.0 or later, where this vulnerability has been fixed.