search

metaplex-foundation / sugar

Candy Machine Rust CLI.
Apache License 2.0
206 stars 120 forks source link

[Bug]: Version 2.8.0 binary incorrectly reports as version 2.7.2 #496

Open 0xNotes opened 1 day ago

0xNotes commented 1 day ago

Issue description

Description

The Sugar CLI v2.8.0 release binary incorrectly reports itself as v2.7.2 when running sugar -V, despite being a different binary from the actual v2.7.2 release.

## Environment
- OS: Manjaro Linux (Rolling)
- Kernel: Linux 6.6.54-2-MANJARO x86_64
- Shell: zsh (/usr/bin/zsh)
- Architecture: x86_64 GNU/Linux
- Installation method: Both direct download and installer script

Investigation Steps Taken

  1. Initial state check:

    bash
$ sugar -V
sugar-cli 2.7.2

  2. Checked all possible cargo/sugar config locations:

    $ cat ~/.zshrc ~/.bashrc ~/.profile ~/.zprofile ~/.bash_profile | grep -i "cargo"
export PATH="$HOME/.cargo/bin:$PATH"
. "$HOME/.cargo/env"
. "$HOME/.cargo/env"
. "$HOME/.cargo/env"

  3. Complete removal of sugar and cargo state:

    rm -rf ~/.cargo/bin/sugar
rm -rf ~/.cargo/registry/*
rm -rf ~/.cargo/.global-cache
rm -f ~/.cargo/.crates.toml
rm -f ~/.cargo/.crates2.json

  4. Fresh install attempts - both methods still resulted in version mismatch:

    • Via installer script
    • Via direct download

  5. Version verification:

    # Checking available releases
$ curl -L --silent https://api.github.com/repos/metaplex-foundation/sugar/releases | grep -i "tag_name"
"tag_name": "v2.8.0",
"tag_name": "v2.7.4",
"tag_name": "v2.7.3",
"tag_name": "v2.7.2",

  6. Binary comparison between versions:

    # Download and hash both versions
$ cd /tmp
$ curl -L "https://github.com/metaplex-foundation/sugar/releases/download/v2.8.0/sugar-ubuntu-latest" --output sugar-2.8.0
$ curl -L "https://github.com/metaplex-foundation/sugar/releases/download/v2.7.2/sugar-ubuntu-latest" --output sugar-2.7.2
$ chmod +x sugar-2.8.0 sugar-2.7.2
$ sha256sum sugar-2.8.0 sugar-2.7.2
ee813a9f7a8a6339728984633725e1105d31ce9eedcd8f5a2d859af54eef39f3  sugar-2.8.0
ab2505f7764ab0686df30870f83f5e419d0c42bbb9cfb3c24382ca1ed44bfcd2  sugar-2.7.2

  7. Verification of currently installed version:

    $ sugar -V
sugar-cli 2.7.2
$ sha256sum ~/.cargo/bin/sugar
ee813a9f7a8a6339728984633725e1105d31ce9eedcd8f5a2d859af54eef39f3  /home/notes/.cargo/bin/sugar

    Additional System Context

    
$ uname -a
Linux sigil 6.6.54-2-MANJARO #1 SMP PREEMPT_DYNAMIC Tue Oct  8 03:11:08 UTC 2024 x86_64 GNU/Linux

$ cat /etc/os-release NAME="Manjaro Linux" PRETTY_NAME="Manjaro Linux" ID=manjaro ID_LIKE=arch BUILD_ID=rolling



PS Bonus issue in screenshot when I tried to email bounty@metaplex.com

![image](https://github.com/user-attachments/assets/825c564f-5fc6-49a4-a5bc-fa550dab7489)

PS BONUS BONUS ISSUE

![image](https://github.com/user-attachments/assets/0e91f5d7-bfa6-4a0f-9dd5-61384c8f5790)

Email html link does not go to the email users will see

 Solana wallet if this is worth anything to the team:
 W3kTfwdyGoT48Hy5iSNY9gRuYAsQ6SNrysso17e77ZF

### Relevant log output

_No response_

### Priority this issue should have

Low (slightly annoying)
0xNotes commented 1 day ago

I think this might be worth escalating to medium

Rationale: This affects Candy Machine, which is a Tier 2 program. It's a functional issue that could affect deployments and operations. Could cause confusion in production environments. Most importantly, it indicates a potential build/release process issue that could mask more serious problems.

The screenshots affect the security reporting process itself, which is critical for the bug bounty program.