Impact
The write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim's privileges (e.g., for privilege escalation). This risk is significant in shared environments (e.g., multi-user systems, CI/CD pipelines), potentially leading to full system compromise.
Even with non-static directory names, attackers can monitor parent directories (e.g., ~/conda-bld) for file creation events using tools like inotify or polling. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection.
Code affected:
|
def write_build_scripts(m, script, build_file): |
|
# TODO: Prepending the prefixes here should probably be guarded by |
|
# if not m.activate_build_script: |
|
# Leaving it as is, for now, since we need a quick, non-disruptive patch release. |
|
with utils.path_prepended(m.config.host_prefix, False): |
|
with utils.path_prepended(m.config.build_prefix, False): |
|
env = environ.get_dict(m=m) |
|
|
|
_set_env_variables_for_build(m, env) |
|
|
|
work_file = join(m.config.work_dir, "conda_build.sh") |
|
env_file = join(m.config.work_dir, "build_env_setup.sh") |
|
with open(env_file, "w") as bf: |
|
for k, v in env.items(): |
|
if v != "" and v is not None: |
|
bf.write(f'export {k}="{v}"\n') |
|
|
|
if m.activate_build_script: |
|
_write_sh_activation_text(bf, m) |
|
with open(work_file, "w") as bf: |
|
# bf.write('set -ex\n') |
|
bf.write("if [ -z ${CONDA_BUILD+x} ]; then\n") |
|
bf.write(f" source {env_file}\n") |
|
bf.write("fi\n") |
|
if script: |
|
bf.write(script) |
|
if isfile(build_file) and not script: |
|
bf.write(open(build_file).read()) |
|
|
|
os.chmod(work_file, 0o766) |
|
return work_file, env_file |
The severity has been rated as Medium because exploitation requires local filesystem access and real-time monitoring or prediction of build directory paths, conditions common in shared environments like multi-user systems and CI/CD pipelines. Although the race condition window is narrow and non-static paths increase complexity, successful exploitation enables arbitrary code execution.
This permission mode was chosen back in 1.0.0, not even a public release, via #5.
Patches
Has the problem been patched? What versions should users upgrade to?
Restrict conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
Found by audit conducted by 7a Security in partnership with OSTIF
stamparm Finder
jaimergp Remediation developer
beckermr Remediation developer
kenodegard Remediation reviewer
Impact
The write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim's privileges (e.g., for privilege escalation). This risk is significant in shared environments (e.g., multi-user systems, CI/CD pipelines), potentially leading to full system compromise.
Even with non-static directory names, attackers can monitor parent directories (e.g., ~/conda-bld) for file creation events using tools like inotify or polling. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection.
Code affected:
conda-build/conda_build/build.py
Lines 3054 to 3084 in 3f06913
The severity has been rated as Medium because exploitation requires local filesystem access and real-time monitoring or prediction of build directory paths, conditions common in shared environments like multi-user systems and CI/CD pipelines. Although the race condition window is narrow and non-static paths increase complexity, successful exploitation enables arbitrary code execution.
This permission mode was chosen back in 1.0.0, not even a public release, via #5.
Patches
Has the problem been patched? What versions should users upgrade to?
Restrict conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
Found by audit conducted by 7a Security in partnership with OSTIF