Homebrew audit reveals security vulnerabilities – team has closed most of them
An extensive security audit has found vulnerabilities in the code and CI/CD processes of the package manager Homebrew. Many, but not all, have been fixed.
(Image: iX mit KI (Dall-E 3))
- Robert Lippert
The Homebrew team has pointed out the results of an independent security audit. This has uncovered 25 vulnerabilities, 16 of which are said to have already been fixed. Three more are currently being worked on and Homebrew has also confirmed a further six.
Homebrew is a widely used open source package manager and is particularly popular on macOS, which does not have native package management systems like Linux. The official website describes it as "the missing package manager for macOS". With several hundred million package installations per year worldwide, it is practically the standard package manager on Apple's operating system. Accordingly, the details presented in the audit are relevant.
The good news: no critical vulnerabilities discovered
According to the security service provider Trail of Bits, which independently conducted the audit on behalf of the Open Technology Fund, no critical vulnerabilities were discovered in Homebrew. Nevertheless, attackers could load executable code in unexpected places and thus compromise the integrity of the system, which is normally protected by sandboxing techniques.
Security issues have also been found in Homebrew's CI/CD process. These could allow attackers to secretly modify the binaries ("bottle builds") created by Homebrew. This would enable them not only to trigger CI/CD workflows, but also to control their execution and steal sensitive information.
Most of these vulnerabilities have now been fixed, as the Homebrew team has communicated transparently. Interested users are also recommended to read the comprehensive Homebrew Security Assessment report, which is available as a PDF on GitHub.
Trail of Bits and the Homebrew team jointly point out that it is in the nature of package managers that they obtain code from external sources, and that the difficult distinction between expected and unexpected code executions fundamentally harbors an inherent security risk. Overall, however, Homebrew is considered a mature system, particularly in terms of the reduced need for human intervention in the package lifecycle. However, if insiders or malicious maintainers undermine the integrity and isolation mechanisms of the CI/CD system, the measures may not provide sufficient protection.
(cwo)
