Summer 2024: Our audit of Homebrew | Trail of Bits Blog
Posted by jpluimers on 2024/11/04
In the summer of 2024, something interesting happened in the Homebrew world: [Wayback/Archive] Our audit of Homebrew | Trail of Bits Blog.
This is really cool, while not only it caused some fixes of by then unknown issues, but also improved the various processes that already made Homebrew such a great tool by focusing on these aspects:
- Can a local actor induce unexpected execution of a formula’s DSL, e.g. without an explicit invocation of
brew install?- Can a local actor induce unexpected evaluation of a tap’s formulae, e.g. from just
brew tapwith no subsequent user actions?- Can a local actor induce namespace confusions or conflicts within brew, resulting in
brew install fooinstalling an unexpected formula?- Can a locally installed formula surreptitiously subvert or bypass Homebrew’s build isolation mechanisms?
- Can an unprivileged or low-privilege CI/CD actor (such as a third-party contributor) pivot to a higher privilege in Homebrew’s CI/CD?
- Can an unprivileged or low-privilege CI/CD actor surreptitiously taint or compromise a bottle build?
- Can an unprivileged or low-privilege CI/CD actor establish persistence in Homebrew’s CI/CD?
Via [Wayback/Archive] Trail of Bits: “Homebrew, the missing package …” – Infosec Exchange
Homebrew, the missing package manager for macOS, produces the binaries that millions of users download daily. Read about our audit of Homebrew’s CI/CD pipeline and brew.
blog.trailofbits.com/2024/07/3…
--jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment