Homebrew had a security audit performed in 2023. This audit was funded by the Open Technology Fund and conducted by Trail of Bits. Trail of Bits’ report contained 25 items, of which 16 were fixed, 3 are in progress, and 6 are acknowledged by Homebrew’s maintainers. Below is the scope of testing, findings by severity, and mitigation and acknowledgements.
You can read Trail of Bits’ blog post on the audit here and find the full public report here.
Homebrew’s maintainers and Project Leadership Commitee would like to thank Open Technology Fund and Trail of Bits for sponsoring and running this engagement. Our partnership directly improves the security of Homebrew and open source software in general.
Scope: Homebrew/brew, Homebrew/actions, Homebrew/formulae.brew.sh, Homebrew/homebrew-test-bot.
Findings by severity:
- High: 0
- Medium: 14
- Low: 2
- Informational: 7
- Undetermined: 2
Mitigation & acknowledgement:
- Path traversal during file caching
- Status: Fixed
- Sandbox escape via string injection
- Status: Fixed
- Allow default rule in sandbox configuration is overly permissive
- Status: Fixed
- Special characters are allowed in package names and versions
- Status: Acknowledged
- Use of weak cryptographic digest in Formulary namespaces
- Status: Fixed
- Extraction is not sandboxed
- Status: Acknowledged
- Use of ldd on untrusted inputs
- Status: Fixed
- Formulas allow for external resources to be downloaded during the install step
- Status: In Progress
- Use of Marshal
- Status: Fixed
- Lack of sandboxing on Linux
- Status: Acknowledged
- Sandbox escape through domain socket pivot on macOS
- Status: In Progress
- Formula privilege escalation through sudo
- Status: Fixed
- Formula loading through SFTP, SCP, and other protocols
- Status: Fixed
- Sandbox allows changing permissions for important directories
- Status: Fixed
- Homebrew supports only end-of-life versions of Ruby
- Status: Fixed
- Path traversal during bottling
- Status: Fixed
- FileUtils.rm_rf does not check if files are deleted
- Status: In Progress
- Use of pull_request_target in GitHub Actions workflows
- Use of unpinned third-party workflow
- Status: Fixed across the codebase via multiple PR’s.
- Unpinned dependencies in formulae.brew.sh
- Status: Fixed
- Use of RSA for JSON API signing
- Status: Acknowledged. Ed25519 was not an option when this was introduced. The next key reroll will use Ed25519.
- Bottles beginning “-“ can lead to unintended options getting passed to rm
- Status: Fixed
- Code injection through inputs in multiple actions
- Status: Fixed across the codebase via multiple PR’s.
- Use of PGP for commit signing
- Status: Acknowledged. Plans to remove the bot account using PGP have been established.
- Unnecessary domain separation between signing key and key ID
- Status: Acknowledged. Will be resolved with the next key reroll.