Summary: In 2023, Homebrew underwent a security audit funded by the Open Technology Fund and conducted by Trail of Bits, resulting in a report with 25 findings. The audit revealed various security issues, with 16 items fixed, 3 in progress, and 6 acknowledged by maintainers.

Threat Actor: Trail of Bits | Trail of Bits
Victim: Homebrew | Homebrew

Key Point :

  • Audit identified 25 security issues: 14 medium, 2 low, and 7 informational.
  • 16 issues were fixed, while 3 are in progress and 6 acknowledged by maintainers.
  • Key vulnerabilities included sandbox escape, path traversal, and weak cryptographic practices.
  • Collaboration with Open Technology Fund aimed to enhance security for Homebrew and open source software.

Homebrew had a security audit performed in 2023. This audit was funded by the Open Technology Fund and conducted by Trail of Bits. Trail of Bits’ report contained 25 items, of which 16 were fixed, 3 are in progress, and 6 are acknowledged by Homebrew’s maintainers. Below is the scope of testing, findings by severity, and mitigation and acknowledgements.

You can read Trail of Bits’ blog post on the audit here and find the full public report here.

Homebrew’s maintainers and Project Leadership Commitee would like to thank Open Technology Fund and Trail of Bits for sponsoring and running this engagement. Our partnership directly improves the security of Homebrew and open source software in general.

Scope: Homebrew/brew, Homebrew/actions, Homebrew/formulae.brew.sh, Homebrew/homebrew-test-bot.

Findings by severity:

  • High: 0
  • Medium: 14
  • Low: 2
  • Informational: 7
  • Undetermined: 2

Mitigation & acknowledgement:

  1. Path traversal during file caching
  2. Sandbox escape via string injection
  3. Allow default rule in sandbox configuration is overly permissive
  4. Special characters are allowed in package names and versions
    • Status: Acknowledged
  5. Use of weak cryptographic digest in Formulary namespaces
  6. Extraction is not sandboxed
    • Status: Acknowledged
  7. Use of ldd on untrusted inputs
  8. Formulas allow for external resources to be downloaded during the install step
  9. Use of Marshal
  10. Lack of sandboxing on Linux
    • Status: Acknowledged
  11. Sandbox escape through domain socket pivot on macOS
  12. Formula privilege escalation through sudo
  13. Formula loading through SFTP, SCP, and other protocols
  14. Sandbox allows changing permissions for important directories
  15. Homebrew supports only end-of-life versions of Ruby
  16. Path traversal during bottling
  17. FileUtils.rm_rf does not check if files are deleted
  18. Use of pull_request_target in GitHub Actions workflows
    • Status: Fixed: 1, 2.
  19. Use of unpinned third-party workflow
    • Status: Fixed across the codebase via multiple PR’s.
  20. Unpinned dependencies in formulae.brew.sh
  21. Use of RSA for JSON API signing
    • Status: Acknowledged. Ed25519 was not an option when this was introduced. The next key reroll will use Ed25519.
  22. Bottles beginning “-“ can lead to unintended options getting passed to rm
  23. Code injection through inputs in multiple actions
    • Status: Fixed across the codebase via multiple PR’s.
  24. Use of PGP for commit signing
    • Status: Acknowledged. Plans to remove the bot account using PGP have been established.
  25. Unnecessary domain separation between signing key and key ID
    • Status: Acknowledged. Will be resolved with the next key reroll.

Latest Posts

Source: https://brew.sh/2024/07/30/homebrew-security-audit