A lately determined security vulnerability in the formal Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users’ machines that have Homebrew put in.
The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its GitHub repository ended up handled, resulting in a state of affairs in which a malicious pull request — i.e., the proposed modifications — could be instantly reviewed and approved. The flaw was mounted on April 19.
Homebrew is a cost-free and open up-resource computer software package deal supervisor answer that will allow the installation of software on Apple’s macOS working technique as properly as Linux. Homebrew Cask extends the operation to contain command-line workflows for GUI-dependent macOS purposes, fonts, plugins, and other non-open resource application.
“The found out vulnerability would let an attacker to inject arbitrary code into a cask and have it be merged instantly,” Homebrew’s Markus Reiter stated. “This is thanks to a flaw in the git_diff dependency of the overview-cask-pr GitHub Motion, which is utilised to parse a pull request’s diff for inspection. Because of to this flaw, the parser can be spoofed into fully ignoring the offending traces, ensuing in properly approving a malicious pull request.”
In other words, the flaw meant malicious code injected into the Cask repository was merged without the need of any overview and approval.
The researcher also submitted a evidence-of-notion (PoC) pull request demonstrating the vulnerability, next which it was reverted. In light of the findings, Homebrew has also removed the “automerge” GitHub Motion as very well as disabled and taken out the “critique-cask-pr” GitHub Motion from all vulnerable repositories.
In addition, the capacity for bots to dedicate to homebrew/cask* repositories has been taken out, with all pull requests requiring a manual critique and acceptance by a maintainer heading forward. No consumer motion is needed.
“If this vulnerability was abused by a malicious actor, it could be made use of to compromise the devices that operate brew ahead of it gets reverted,” the researcher stated. “So I strongly come to feel that a security audit from the centralized ecosystem is required.”
Discovered this posting attention-grabbing? Adhere to THN on Facebook, Twitter and LinkedIn to browse extra exclusive information we submit.
Some parts of this article are sourced from: