Critical RCE bug found in Homebrew Package Manager for macOS and Linux


A security vulnerability recently identified in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on the machines of users where Homebrew is installed.

The issue, which was reported to officials on April 18 by a Japanese security researcher named RyotaK, stemmed from how code changes in his GitHub repository were handled, resulting in a scenario in which a malicious pull request – ie the proposed changes – could be automatically reviewed and approved. The flaw was corrected on April 19.

Stack overflow teams

Homebrew is a free, open source software package management solution that allows software installation on Apple’s macOS operating system as well as Linux. Homebrew Cask extends functionality to include command line workflows for GUI based macOS apps, fonts, plugins, and other non-open source software.

“The discovered vulnerability would allow an attacker to inject arbitrary code into a keg and merge it automatically,” said Markus Reiter of Homebrew. “This is due to a defect in the git_diff dependence on exam-cask-pr GitHub action, which is used to analyze the diff of a pull request for inspection. Due to this flaw, the parser can be spoofed by completely ignoring the offending lines, resulting in the approval of a malicious pull request. “

In other words, the flaw meant that malicious code injected into the Cask repository was merged without any review or approval.

Corporate password management

The researcher also submitted a proof of concept (PoC) extraction request demonstrating the vulnerability, as a result of which it was revoked. Based on the results, Homebrew has removed the GitHub action “automerge” as well as disabled and removed the GitHub action “review-cask-pr” from all vulnerable repositories.

Additionally, the ability for bots to commit to homebrew / cask * repositories has been removed, with all pull requests requiring manual review and maintainer approval in the future. No user action is required.

“If this vulnerability were exploited by a malicious actor, it could be used to compromise the machines that perform the brew before it is rolled back,” the researcher said. “So I firmly believe that a security audit against the centralized ecosystem is necessary. “


Comments are closed.