Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux

[enaph]

Content source

https://thehackernews.com/2021/04/critical-rce-bug-found-in-homebrew.html

recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users' machines that have Homebrew installed.

The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its GitHub repository were handled, resulting in a scenario where a malicious pull request — i.e., the proposed changes — could be automatically reviewed and approved. The flaw was fixed on April 19.

Homebrew is a free and open-source software package manager solution that allows the installation of software on Apple's macOS operating system as well as Linux. Homebrew Cask extends the functionality to include command-line workflows for GUI-based macOS applications, fonts, plugins, and other non-open source software.

Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux

A critical vulnerability in the Homebrew Package Manager for macOS and Linux could have allowed hackers to remotely execute arbitrary code.

thehackernews.com

 

[enaph]

Homebrew disclosure:

Security Incident Disclosure

On 18th April 2021, a security researcher identified a vulnerability in our review-cask-pr GitHub Action used on the homebrew-cask and all homebrew-cask-* taps (non-default repositories) in the Homebrew organization and reported it on our HackerOne.

brew.sh