Summary
EntryPoint::FromStr in rattler_conda_types performs only .trim() on the command field before the linker joins it onto the install prefix and writes an executable Python script. A malicious noarch:python package can ship an info/link.json with an entry-point name containing .., /, \, or an absolute path; the resulting file is written outside the prefix (or clobbers an existing in-prefix entry-point such as bin/pip) with mode 0o775 on Unix and a copied launcher .exe on Windows. This affects the default install path of pixi install, rattler-build, some methods in py-rattler, and any other consumer of the rattler install crate; no flag or post-link-script opt-in is involved.
Resolved in #2445, released in rattler 0.43.2.
Affected
- Repository: https://github.com/conda/rattler
- Commit:
a0e61a33da8b9d6de712fab2a879fa9da977e6e3 (HEAD at audit time, 2026-05-13 release)
- Downstream consumers reached through the same code path:
prefix-dev/pixi @ e640477
- pixi 0.69.0 and rattler-build 0.65.0 fix this issue
Researcher
Berkant Koc me@berkoc.com
PGP: 0C588DFD76204987284213EA0AC529C41F8AA5D6
berkant-koc Reporter
Summary
EntryPoint::FromStrinrattler_conda_typesperforms only.trim()on thecommandfield before the linker joins it onto the install prefix and writes an executable Python script. A maliciousnoarch:pythonpackage can ship aninfo/link.jsonwith an entry-point name containing..,/,\, or an absolute path; the resulting file is written outside the prefix (or clobbers an existing in-prefix entry-point such asbin/pip) with mode0o775on Unix and a copied launcher.exeon Windows. This affects the default install path ofpixi install,rattler-build, some methods inpy-rattler, and any other consumer of therattlerinstall crate; no flag or post-link-script opt-in is involved.Resolved in #2445, released in rattler 0.43.2.
Affected
a0e61a33da8b9d6de712fab2a879fa9da977e6e3(HEAD at audit time, 2026-05-13 release)prefix-dev/pixi@e640477Researcher
Berkant Koc me@berkoc.com
PGP: 0C588DFD76204987284213EA0AC529C41F8AA5D6