A just lately recognized security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users’ devices that have Homebrew installed.
The issue, which was described to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its GitHub repository were being taken care of, resulting in a situation where by a malicious pull request โ i.e., the proposed changes โ could be immediately reviewed and accepted. The flaw was fastened on April 19.
Homebrew is a free of charge and open up-source software program package deal supervisor solution that permits the set up of software package on Apple’s macOS working technique as perfectly as Linux. Homebrew Cask extends the features to include command-line workflows for GUI-dependent macOS apps, fonts, plugins, and other non-open up resource application.
“The learned vulnerability would let an attacker to inject arbitrary code into a cask and have it be merged routinely,” Homebrew’s Markus Reiter said. “This is thanks to a flaw in the git_diff dependency of the overview-cask-pr GitHub Motion, which is used to parse a pull request’s diff for inspection. Owing to this flaw, the parser can be spoofed into totally disregarding the offending traces, ensuing in effectively approving a malicious pull request.”
In other terms, the flaw meant malicious code injected into the Cask repository was merged without the need of any overview and approval.
The researcher also submitted a proof-of-thought (PoC) pull request demonstrating the vulnerability, pursuing which it was reverted. In light-weight of the conclusions, Homebrew has also removed the “automerge” GitHub Action as perfectly as disabled and taken off the “evaluation-cask-pr” GitHub Action from all susceptible repositories.
In addition, the means for bots to commit to homebrew/cask* repositories has been taken off, with all pull requests demanding a handbook assessment and acceptance by a maintainer heading ahead. No user motion is essential.
“If this vulnerability was abused by a destructive actor, it could be used to compromise the equipment that run brew right before it gets reverted,” the researcher reported. “So I strongly feel that a security audit from the centralized ecosystem is expected.”
Uncovered this short article intriguing? Observe THN on Fb, Twitter ๏ and LinkedIn to study much more exceptional written content we post.
Some parts of this article are sourced from:
thehackernews.com