Flaw meant malicious code injected into Cask repo was merged automatically

Vulnerability in Homebrew macOS package manager could allow arbitary code execution

A vulnerability in Homebrew, the enormously popular open source package manager for macOS and Linux, enabled attackers to execute malicious Ruby code on machines running the application.

Security researcher ‘RyotaK’ found the flaw during a vulnerability assessment sanctioned by the project maintainers after probing the CI script that Homebrew runs using GitHub Actions.

The Japanese researcher found that “in the Homebrew/homebrew-cask repository, it was possible to merge the malicious pull request by confusing the library that is used in the automated pull request review script developed by the Homebrew project”, according to a blog post published on April 21.

Spoofing the parser

In a security alert, Homebrew maintainer Markus Reiter said: “This is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action, which is used to parse a pull request’s diff for inspection.

“Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.”

The issue arose, he continued, because: “Whenever an affected cask tap received a pull request to change only the version of a cask, the review-cask-pr GitHub Action would automatically review and approve the pull request. The approval would then trigger the automerge GitHub Action which would merge the approved pull request.”

Securing the repo

In light of the findings, which were reported to Homebrew’s HackerOne program, Reiter said the vulnerable review-cask-pr and automerge  GitHub Actions have been disabled and removed from all repositories.

Moreover, bots can no longer commit to homebrew/cask* repositories, with pull requests now requiring a manual review and approval by a maintainer.

“We are improving documentation to help onboard new homebrew/cask maintainers and training existing homebrew/core maintainers to help with homebrew/cask,” added Reiter.

RyotaK compromised a single cask “with a harmless change for the duration of the demonstration pull request until its reversal”, he continued. “No action is required by users due to this incident.”

The gravity of the bug prompted RyotaK to comment: “I strongly feel that a security audit against the centralized ecosystem is required. I want to perform security audits against PyPI/npm registry… etc, but as they don’t allow the vulnerability assessment explicitly, I can’t do this.”

The flaw was reported on April 17, and was fully fixed two days later on April 19.

Homebrew, which simplifies the installation of software on macOS and Linux, is currently ranked 63 in the Gitstar breakdown of organizations by GitHub star rating.


YOU MIGHT ALSO LIKE Codecov users warned after backdoor discovered in DevOps tool