constructor icon indicating copy to clipboard operation
constructor copied to clipboard

Published 20 hours ago verified publisher icon conda

Suspicious file: miniforge3/=2.17 / quoting issue

Open sk1p opened this issue 5 months ago • 0 comments

Checklist

  • [X] I added a descriptive title
  • [X] I searched open reports and couldn't find a duplicate

What happened?

I hope this is the correct repo to report. After installing Miniforge3-24.7.1-0-Linux-x86_64.sh, there's a suspicious file called =2.17 in the miniforge3 directory. It contains the text:

Checking virtual specs compatibility: __glibc

I think this comes from broken quoting here:

https://github.com/conda/constructor/blob/49b80727bbdabce4d150e3fba4d03c953574ea1f/constructor/header.sh#L479

Where __VIRTUAL_SPECS__ is '__glibc>=2.17'. So the rendered script looks like this:

[...]
if [ "'__glibc >=2.17'" != "" ]; then
    echo 'Checking virtual specs compatibility: '__glibc >=2.17''
    CONDA_QUIET="$BATCH" \
    CONDA_SOLVER="classic" \
    CONDA_PKGS_DIRS="$(mktemp -d)" \
    "$CONDA_EXEC" create --dry-run --prefix "$PREFIX/envs/_virtual_specs_checks" --offline '__glibc >=2.17'
fi
[...]

So instead of printing the message to stdout, it gets redirected to a file called =2.17.

Additional Context

No response

sk1p avatar Sep 21 '24 14:09 sk1p