August 1, 2024 at 08:06AM
A security audit sponsored by the Open Tech Fund in August 2023 found 25 security defects in Homebrew, a popular package manager for macOS and Linux. The vulnerabilities allowed for code execution, privilege escalation, and secrets exfiltration. Trail of Bits notes the lack of explicit security documentation and the informal boundaries for code execution in Homebrew’s security model.
Based on the meeting notes provided, the key takeaways are as follows:
1. Homebrew, a popular package manager for macOS and Linux, was audited by Trail of Bits sponsored by the Open Tech Fund in August 2023.
2. The audit uncovered a total of 25 security defects, including path traversals, sandbox escapes, lack of checks, permissive rules, weak cryptography, privilege escalation, and use of legacy code.
3. Homebrew has already resolved 16 of the identified security defects and is still working on three other issues, with the remaining six defects acknowledged.
4. The identified bugs included 14 medium-severity, two low-severity, 7 informational, and two undetermined vulnerabilities.
5. The audit’s scope included the Homebrew repository, Homebrew/actions, Homebrew/formulae.brew.sh, and Homebrew/homebrew-test-bot.
6. Trail of Bits noted that Homebrew’s security model lacks explicit documentation and that packages can exploit multiple avenues to escalate their privileges, highlighting informal and loosely defined boundaries between expected and unexpected code execution.
7. The audit also highlighted issues with the Apple sandbox-exec system, GitHub Actions workflows, and Gemfiles configuration, as well as extensive trust in user input leading to string injection and path traversal.
Let me know if there’s anything else I can assist you with based on these meeting notes.