Security News > 2021 > April > Homebrew fixes Cask repo GitHub Actions bug that would have let anyone sneak malicious code onto machines

The Homebrew package manager for macOS and Linux has fixed an issue that could have been exploited by miscreants to run malicious code on people's computers.

Specifically, the project's GitHub Actions setup could have been abused to sneak arbitrary Ruby code into its Cask repositories, security researcher RyotaK discovered and disclosed via HackerOne.

The infosec bod found it was possible to merge a "Malicious pull request by confusing the library that is used in the automated pull request review script developed by the Homebrew project. By abusing it, an attacker could execute arbitrary Ruby codes on users' machines."

"The vulnerable review-cask-pr GitHub Action has been disabled and removed from all repositories," the project's Markus Reiter said in an advisory this week.

A lesson to be learned for anyone writing and deploying GitHub Actions scripts.

Firefox 88 is out and within the code is a fix for an HTTPS spoofing flaw.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/04/26/in_brief_security/