banner
homebrew package manager

A just lately recognized safety vulnerability within the official Homebrew Cask repository may have been exploited by an attacker to execute arbitrary code on customers’ machines which have Homebrew put in.

The difficulty, which was reported to the maintainers on April 18 by a Japanese safety researcher named RyotaK, stemmed from the way in which code modifications in its GitHub repository had been dealt with, leading to a situation the place a malicious pull request — i.e., the proposed modifications — might be robotically reviewed and accepted. The flaw was mounted on April 19.

password auditor

Homebrew is a free and open-source software program bundle supervisor resolution that enables the set up of software program on Apple’s macOS working system in addition to Linux. Homebrew Cask extends the performance to incorporate command-line workflows for GUI-based macOS purposes, fonts, plugins, and different non-open supply software program.

“The found vulnerability would enable an attacker to inject arbitrary code right into a cask and have or not it’s merged robotically,” Homebrew’s Markus Reiter said. “This is because of a flaw within the git_diff dependency of the review-cask-pr GitHub Motion, which is used to parse a pull request’s diff for inspection. On account of this flaw, the parser will be spoofed into utterly ignoring the offending traces, leading to efficiently approving a malicious pull request.”

In different phrases, the flaw meant malicious code injected into the Cask repository was merged with none assessment and approval.

password auditor

The researcher additionally submitted a proof-of-concept (PoC) pull request demonstrating the vulnerability, following which it was reverted. In gentle of the findings, Homebrew has additionally eliminated the “automerge” GitHub Motion in addition to disabled and eliminated the “review-cask-pr” GitHub Motion from all weak repositories.

As well as, the flexibility for bots to decide to homebrew/cask* repositories has been eliminated, with all pull requests requiring a handbook assessment and approval by a maintainer going ahead. No person motion is required.

“If this vulnerability was abused by a malicious actor, it might be used to compromise the machines that run brew earlier than it will get reverted,” the researcher said. “So I strongly really feel {that a} safety audit towards the centralized ecosystem is required.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.