A serious vulnerability existed in the Homebrew package manager that could allow an attacker to execute arbitrary codes. The developers have patched the vulnerability.
Homebrew Package Manager Vulnerability
A security researcher with alias RyotaK has found a critical vulnerability in the Homebrew package manager.
Homebrew is an open-source and free package manager written in Ruby that facilitates in installing apps on macOS and Linux. Popular in the Ruby on Rails community, Homebrew allows the users to develop software as they want.
As explained in a blog post, RyotaK found the vulnerability in the Homebrew Cask that typically focuses on installing GUI apps.
In brief, the researcher noticed that the vulnerability allowed an adversary to merge malicious pull requests by confusing the library used in the automated pull request review script. In this way, an attacker could execute malicious Ruby codes on the target brew users’ devices.
Explaining more about the vulnerability in a subsequent security notice, Homebrew stated,
Whenever an affected cask tap received a pull request to change only the version of a cask, the
review-cask-prGitHub Action would automatically review and approve the pull request. The approval would then trigger the
automergeGitHub Action which would merge the approved pull request…
The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be merged automatically. This is due to a flaw in the
git_diffdependency of the
review-cask-prGitHub Action, which is used to parse a pull request’s diff for inspection. Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.
Upon finding the bug, the researcher reported the matter to Homebrew via HackerOne. Consequently, the team rushed to developing a fix that they have also confirmed in their post.
Briefly, the patches include disabling and removal of the vulnerable GitHub Action
automerge. Also, they have implemented a manual review of all homebrew/cask* pull requests.
Technical details about the vulnerability are available in the researcher’s post.