Security News > 2021 > April > Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux
A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users' machines that have Homebrew installed.
The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its GitHub repository were handled, resulting in a scenario where a malicious pull request - i.e., the proposed changes - could be automatically reviewed and approved.
Homebrew is a free and open-source software package manager solution that allows the installation of software on Apple's macOS operating system as well as Linux.
Homebrew Cask extends the functionality to include command-line workflows for GUI-based macOS applications, fonts, plugins, and other non-open source software.
"The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be merged automatically," Homebrew's Markus Reiter said.
In light of the findings, Homebrew has removed the "Automerge" GitHub Action as well as disabled and removed the "Review-cask-pr" GitHub Action from all vulnerable repositories.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/JgNcfCyhnCE/critical-rce-bug-found-in-homebrew.html
Related news
- CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks (source)
- Progress warns of critical RCE bug in Telerik Report Server (source)
- Critical ServiceNow RCE flaws actively exploited to steal credentials (source)
- Progress fixes critical RCE flaw in Telerik Report Server, upgrade ASAP! (CVE-2024-6327) (source)
- North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS (source)
- Critical Apache OFBiz pre-auth RCE flaw fixed, update ASAP! (CVE-2024-38856) (source)
- Critical Progress WhatsUp RCE flaw now under active exploitation (source)
- 0.0.0.0 Day: 18-Year-Old Browser Vulnerability Impacts MacOS and Linux Devices (source)
- Cisco warns of critical RCE zero-days in end of life IP phones (source)
- SolarWinds fixes critical RCE bug affecting all Web Help Desk versions (source)