A security audit of the Homebrew package manager, widely used by developers on macOS and also available on Linux, found 25 specific issues (most of which are now fixed) as well as concluding that “Homebrew’s threat model is often unclear and relies heavily on manual review.”
The audit was commissioned by the Open Technology Fund, an organization funded mainly by the US government with goals including supporting FOSS (free and open source software). The audit was carried out by Trail of Bits, a security research company, and done in cooperation with the Homebrew project.
The report found “multiple issues allowing an attacker to escape the build sandbox” as well as “other issues allowing an attacker to compromise the CI/CD workflow,” meaning the continuous integration/continuous delivery workflow by which packages are added or updated in the package repository.
The 25 issues, listed in the Homebrew blog, do not include any high severity flaws. Homebrew maintainer and security manager Patrick Linnane reports that 16 are fixed, 3 are in progress, and six more informational items are “acknowledged by Homebrew’s maintainers.”
While that sounds reassuring, there is still cause for concern. In particular, Trail of Bits evaluated the Homebrew codebase and found it weak in authentication and access controls, configuration, and data handling. Unit tests cover only around two-thirds of the Homebrew codebase. The project is maintained on GitHub and several of the issues show that GitHub best practices are not followed.
“Our report concludes that Homebrew’s CI/CD, while mature and effective at reducing the number of human touch-points in Homebrew’s package lifecycle, is complex and relies on misuse-prone patterns common in GitHub Actions workflows (such as dangerous workflow triggers and mixing of configuration, code, and data via template expansion),” said engineering director William Woodruff.
The report also stated that the Homebrew security model should be documented, so that developers “better understand the risks associated with using the software.”
A 2022 security audit by Mozilla similarly found that while Homebrew has a “well-thought-out trust model and transparent processes,” it is “vulnerable to compromise of the repository hosted on GitHub.”
Homebrew was created by Max Howell and first released in 2009; the project leader today is Mike McQuaid, who said in February that the software has 30 million users. The problem it addresses is that macOS has no built-in package manager, unless you count the App Store which is gated by Apple and lacks many of the utilities and libraries which developers need.
The result is that Homebrew, or something like it such as MacPorts, is a near-necessity for developing software on macOS.
The software is free and maintained by a relatively small team. Could Apple itself contribute more? “The amount of value returned to the Apple ecosystem through brew is remarkable and while this post makes me even more in awe of the care that goes towards the community, I’m sad that one of the richest companies in the world isn’t giving more back,” remarked one developer, commenting on the report.