Homebrew

Homebrew had a security audit performed in 2023. This audit was funded by the Open Technology Fund and conducted by Trail of Bits. Trail of Bits’ report contained 25 items, of which 16 were fixed, 3 are in progress, and 6 are acknowledged by Homebrew’s maintainers. Below is the scope of testing, findings by severity, and mitigation and acknowledgements.

You can read Trail of Bits’ blog post on the audit here and find the full public report here.

Homebrew’s maintainers and Project Leadership Commitee would like to thank Open Technology Fund and Trail of Bits for sponsoring and running this engagement. Our partnership directly improves the security of Homebrew and open source software in general.

Scope: Homebrew/brew, Homebrew/actions, Homebrew/formulae.brew.sh, Homebrew/homebrew-test-bot.

Findings by severity:

• High: 0
• Medium: 14
• Low: 2
• Informational: 7
• Undetermined: 2

Mitigation & acknowledgement:

1. Path traversal during file caching
   • Status: Fixed
2. Sandbox escape via string injection
   • Status: Fixed
3. Allow default rule in sandbox configuration is overly permissive
   • Status: Fixed
4. Special characters are allowed in package names and versions
   • Status: Acknowledged
5. Use of weak cryptographic digest in Formulary namespaces
   • Status: Fixed
6. Extraction is not sandboxed
   • Status: Acknowledged
7. Use of ldd on untrusted inputs
   • Status: Fixed
8. Formulas allow for external resources to be downloaded during the install step
   • Status: In Progress
9. Use of Marshal
   • Status: Fixed
10. Lack of sandboxing on Linux
    • Status: Acknowledged
11. Sandbox escape through domain socket pivot on macOS
    • Status: In Progress
12. Formula privilege escalation through sudo
    • Status: Fixed
13. Formula loading through SFTP, SCP, and other protocols
    • Status: Fixed
14. Sandbox allows changing permissions for important directories
    • Status: Fixed
15. Homebrew supports only end-of-life versions of Ruby
    • Status: Fixed
16. Path traversal during bottling
    • Status: Fixed
17. FileUtils.rm_rf does not check if files are deleted
    • Status: In Progress
18. Use of pull_request_target in GitHub Actions workflows
    • Status: Fixed: 1, 2.
19. Use of unpinned third-party workflow
    • Status: Fixed across the codebase via multiple PR’s.
20. Unpinned dependencies in formulae.brew.sh
    • Status: Fixed
21. Use of RSA for JSON API signing
    • Status: Acknowledged. Ed25519 was not an option when this was introduced. The next key reroll will use Ed25519.
22. Bottles beginning “-“ can lead to unintended options getting passed to rm
    • Status: Fixed
23. Code injection through inputs in multiple actions
    • Status: Fixed across the codebase via multiple PR’s.
24. Use of PGP for commit signing
    • Status: Acknowledged. Plans to remove the bot account using PGP have been established.
25. Unnecessary domain separation between signing key and key ID
    • Status: Acknowledged. Will be resolved with the next key reroll.