The gravity of the bug prompted RyotaK to comment: “I strongly feel that a security audit against the centralized ecosystem is required. “No action is required by users due to this incident.” RyotaK compromised a single cask “with a harmless change for the duration of the demonstration pull request until its reversal”, he continued. “We are improving documentation to help onboard new homebrew/cask maintainers and training existing homebrew/core maintainers to help with homebrew/cask,” added Reiter.
#Devops packages in homebrew for mac manual#
Moreover, bots can no longer commit to homebrew/cask* repositories, with pull requests now requiring a manual review and approval by a maintainer. In light of the findings, which were reported to Homebrew’s HackerOne program, Reiter said the vulnerable review-cask-pr and automerge GitHub Actions have been disabled and removed from all repositories. The approval would then trigger the automerge GitHub Action which would merge the approved pull request.” Securing the repo The issue arose, he continued, because: “Whenever an affected cask tap received a pull request to change only the version of a cask, the review-cask-pr GitHub Action would automatically review and approve the pull request. “Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.” In a security alert, Homebrew maintainer Markus Reiter said: “This is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action, which is used to parse a pull request’s diff for inspection. The Japanese researcher found that “in the Homebrew/homebrew-cask repository, it was possible to merge the malicious pull request by confusing the library that is used in the automated pull request review script developed by the Homebrew project”, according to a blog post published on April 21. Security researcher ‘ RyotaK’ found the flaw during a vulnerability assessment sanctioned by the project maintainers after probing the CI script that Homebrew runs using GitHub Actions.
#Devops packages in homebrew for mac code#
Flaw meant malicious code injected into Cask repo was merged automaticallyĪ vulnerability in Homebrew, the enormously popular open source package manager for macOS and Linux, enabled attackers to execute malicious Ruby code on machines running the application.
0 kommentar(er)
