conda-forge openssl-feedstock writable OPENSSLDIR

A non-privileged local user writes a malicious `openssl.cnf` into the `OPENSSLDIR` path that was previously set to the user-writable Conda environment directory (`%LIBRARY_PREFIX%`). When a privileged process or another user loads the OpenSSL DLLs from this Conda environment, OpenSSL reads the attacker-controlled configuration, which can abuse OpenSSL's engine loading feature to execute arbitrary code in the context of the loading process. The attack requires local access and the ability to write files to the Conda environment's directory. [CWE-73] [ref_id=1]

The vulnerability is in the `openssl-feedstock` build recipe for Windows. The patch changes the `--openssldir` argument passed to the OpenSSL `perl configure` invocation from `%LIBRARY_PREFIX%` (a user-writable Conda environment directory) to `"%CommonProgramFiles%\ssl"` (a system directory with restricted write permissions). The activation script copying logic (lines 44–52) is also added to provide `SSL_CERT_FILE` via environment variables, replacing the functionality previously expected from `OPENSSLDIR`.

The patch changes `--openssldir` from `%LIBRARY_PREFIX%` (a per-environment, user-writable path) to `"%CommonProgramFiles%\ssl"` (a system-global directory that non-privileged users cannot write to). This prevents a local attacker from placing a malicious `openssl.cnf` file that could load arbitrary OpenSSL engines. The recipe also adds activation scripts to set the `SSL_CERT_FILE` environment variable, ensuring certificate functionality is preserved via environment variables rather than relying on the now-locked-down `OPENSSLDIR` for CA bundles.