About
Homebrew is a package manager—a tool that manages the installation of programs, libraries, servers, and other system software. It was written for use with Mac and Linux systems and is especially popular with Ruby on Rails developers.
Audit Description
Through OTF’s Security Lab, Trail of Bits performed a “whitebox” audit (a form of testing in which auditors have complete knowledge of the item being tested) of Homebrew during August of 2023, with full access to source code and documentation. Auditors performed static and dynamic testing using automated and manual processes.
Scope
The code review included the core Homebrew package manager, the functions that automate builds, and its newly released JSON API for formulas. Due to the time-boxed nature of testing work, the audit did not include a full evaluation of the Homebrew test suite, the status of all dependencies, or the completeness of logging information.
Findings & Remediation
The auditors identified 14 security issues in Homebrew that they categorized as “Medium” severity, and 11 more issues categorized as “Low,” “Undetermined“ or “Informational.”
Multiple issues involved allowing an attacker to escape the build “sandbox” (a virtual environment that’s isolated from live networks, systems, and programs), and to compromise the Continuous Integration (CI)/Continuous Delivery (CD) workflow—CI/CD is a set of practices that help software development teams deliver code changes more frequently and reliably. Auditors also found that Homebrew’s threat model is often unclear and relies heavily on manual review.
The Homebrew team is currently addressing these issues and have already fixed many of them.