Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux

A not too long ago discovered protection vulnerability in the formal Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users’ devices that have Homebrew mounted.

The issue, which was reported to the maintainers on April 18 by a Japanese stability researcher named RyotaK, stemmed from the way code improvements in its GitHub repository had been handled, resulting in a scenario where a destructive pull request — i.e., the proposed improvements — could be immediately reviewed and authorised. The flaw was fixed on April 19.

password auditor

Homebrew is a absolutely free and open-source computer software offer supervisor solution that lets the set up of program on Apple’s macOS operating process as very well as Linux. Homebrew Cask extends the features to consist of command-line workflows for GUI-based mostly macOS purposes, fonts, plugins, and other non-open supply computer software.

“The learned vulnerability would enable an attacker to inject arbitrary code into a cask and have it be merged mechanically,” Homebrew’s Markus Reiter reported. “This is because of to a flaw in the git_diff dependency of the overview-cask-pr GitHub Action, which is utilized to parse a pull request’s diff for inspection. Thanks to this flaw, the parser can be spoofed into completely ignoring the offending traces, resulting in productively approving a destructive pull request.”

In other phrases, the flaw meant destructive code injected into the Cask repository was merged with out any review and acceptance.

password auditor

The researcher also submitted a proof-of-strategy (PoC) pull ask for demonstrating the vulnerability, subsequent which it was reverted. In light of the results, Homebrew has also taken off the “automerge” GitHub Motion as perfectly as disabled and taken out the “evaluate-cask-pr” GitHub Motion from all vulnerable repositories.

In addition, the capacity for bots to commit to homebrew/cask* repositories has been taken out, with all pull requests demanding a manual overview and approval by a maintainer heading ahead. No consumer motion is required.

“If this vulnerability was abused by a destructive actor, it could be utilised to compromise the equipment that run brew ahead of it receives reverted,” the researcher mentioned. “So I strongly really feel that a protection audit from the centralized ecosystem is essential.”

Fibo Quantum