CVE-2025-32797

{"id": "CVE-2025-32797", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.0, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-16T19:15:33.510", "references": [{"url": "https://github.com/conda/conda-build/blob/3f06913bba22c4e1ef1065df9e00d86ac97f087c/conda_build/build.py#L3054-L3084", "source": "security-advisories@github.com"}, {"url": "https://github.com/conda/conda-build/commit/d246e49c8f45e8033915156ee3d77769926f3c2e", "source": "security-advisories@github.com"}, {"url": "https://github.com/conda/conda-build/pull/5", "source": "security-advisories@github.com"}, {"url": "https://github.com/conda/conda-build/security/advisories/GHSA-vfp6-3v8g-vcmm", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-277"}]}], "descriptions": [{"lang": "en", "value": "Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, The write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim's privileges. This risk is significant in shared environments, potentially leading to full system compromise. Even with non-static directory names, attackers can monitor parent directories for file creation events. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection. This issue has been patched in version 25.3.1. A workaround involves restricting conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window."}, {"lang": "es", "value": "Conda-build contiene comandos y herramientas para compilar paquetes conda. Antes de la versi\u00f3n 25.3.1, la funci\u00f3n write_build_scripts de conda-build creaba el script de compilaci\u00f3n temporal conda_build.sh con permisos de archivo excesivamente permisivos (0o766), lo que permit\u00eda el acceso de escritura a todos los usuarios. Los atacantes con acceso al sistema de archivos pod\u00edan explotar una condici\u00f3n de ejecuci\u00f3n para sobrescribir el script antes de su ejecuci\u00f3n, lo que permit\u00eda la ejecuci\u00f3n de c\u00f3digo arbitrario con los privilegios de la v\u00edctima. Este riesgo es significativo en entornos compartidos y podr\u00eda comprometer por completo el sistema. Incluso con nombres de directorio no est\u00e1ticos, los atacantes pueden monitorizar los directorios principales para detectar eventos de creaci\u00f3n de archivos. El breve intervalo entre la creaci\u00f3n del script (con permisos inseguros) y su ejecuci\u00f3n permite sobrescrituras r\u00e1pidas. Los nombres de directorio tambi\u00e9n se pueden inferir mediante marcas de tiempo o registros, y la automatizaci\u00f3n permite la explotaci\u00f3n incluso con rutas semi-aleatorizadas al actuar en milisegundos tras la detecci\u00f3n. Este problema se ha corregido en la versi\u00f3n 25.3.1. Una soluci\u00f3n alternativa consiste en restringir los permisos de conda_build.sh de 0o766 a 0o700 (solo lectura, escritura y ejecuci\u00f3n del propietario). Adem\u00e1s, utilice la creaci\u00f3n at\u00f3mica de archivos (escribir en un nombre de archivo temporal aleatorio y renombrarlo autom\u00e1ticamente) para minimizar la ventana de condici\u00f3n de ejecuci\u00f3n."}], "lastModified": "2025-06-17T20:50:23.507", "sourceIdentifier": "security-advisories@github.com"}