Going to report it - RyotaK (https://hackerone.com/ryotak)

[mrbigbunbury]

brew config output

HOMEBREW_VERSION: 3.1.2
ORIGIN: https://github.com/Homebrew/brew
HEAD: bc9b98aa0ba777889218ac51f67ccc76b0be6a28
Last commit: 4 days ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: d84c1f84e546933f0113fc5a67379290d340e66d
Core tap last commit: 32 minutes ago
Core tap branch: master
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 20
Homebrew Ruby: 2.6.3 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: 20-core 64-bit skylake
Clang: 12.0 build 1200
Git: 2.31.1 => /usr/local/bin/git
Curl: 7.64.1 => /usr/bin/curl
macOS: 11.2.3-x86_64
CLT: 12.4.0.0.1.1610135815
Xcode: 12.4

brew doctor output

Going to report it - RyotaK (https://hackerone.com/ryotak)
Please note that these warnings are just used to help the Homebrew maintainers
with debugging if you file an issue. If everything you use Homebrew for is
working fine: please don't worry or file an issue; just ignore this. Thanks!

Warning: Unbrewed dylibs were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.

Unexpected dylibs:
  /usr/local/lib/libMoltenVK.dylib
  /usr/local/lib/libSPIRV-Tools-shared.dylib
  /usr/local/lib/libVkLayer_api_dump.dylib
  /usr/local/lib/libVkLayer_device_simulation.dylib
  /usr/local/lib/libVkLayer_khronos_synchronization2.dylib
  /usr/local/lib/libVkLayer_khronos_validation.dylib
  /usr/local/lib/libdxcompiler.3.7.dylib
  /usr/local/lib/libshaderc_shared.1.dylib
  /usr/local/lib/libspirv-cross-c-shared.0.45.0.dylib
  /usr/local/lib/libvulkan.1.2.170.dylib

Warning: Unbrewed header files were found in /usr/local/include.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.

Unexpected header files:
  /usr/local/include/glslang/HLSL/hlslAttributes.h
  /usr/local/include/glslang/HLSL/hlslGrammar.h
  /usr/local/include/glslang/HLSL/hlslOpMap.h
  /usr/local/include/glslang/HLSL/hlslParseHelper.h
  /usr/local/include/glslang/HLSL/hlslParseables.h
  /usr/local/include/glslang/HLSL/hlslScanContext.h
  /usr/local/include/glslang/HLSL/hlslTokenStream.h
  /usr/local/include/glslang/HLSL/hlslTokens.h
  /usr/local/include/glslang/Include/BaseTypes.h
  /usr/local/include/glslang/Include/Common.h
  /usr/local/include/glslang/Include/ConstantUnion.h
  /usr/local/include/glslang/Include/InfoSink.h
  /usr/local/include/glslang/Include/InitializeGlobals.h
  /usr/local/include/glslang/Include/PoolAlloc.h
  /usr/local/include/glslang/Include/ResourceLimits.h
  /usr/local/include/glslang/Include/ShHandle.h
  /usr/local/include/glslang/Include/Types.h
  /usr/local/include/glslang/Include/arrays.h
  /usr/local/include/glslang/Include/glslang_c_interface.h
  /usr/local/include/glslang/Include/glslang_c_shader_types.h
  /usr/local/include/glslang/Include/intermediate.h
  /usr/local/include/glslang/MachineIndependent/Initialize.h
  /usr/local/include/glslang/MachineIndependent/LiveTraverser.h
  /usr/local/include/glslang/MachineIndependent/ParseHelper.h
  /usr/local/include/glslang/MachineIndependent/RemoveTree.h
  /usr/local/include/glslang/MachineIndependent/Scan.h
  /usr/local/include/glslang/MachineIndependent/ScanContext.h
  /usr/local/include/glslang/MachineIndependent/SymbolTable.h
  /usr/local/include/glslang/MachineIndependent/Versions.h
  /usr/local/include/glslang/MachineIndependent/attribute.h
  /usr/local/include/glslang/MachineIndependent/gl_types.h
  /usr/local/include/glslang/MachineIndependent/glslang_tab.cpp.h
  /usr/local/include/glslang/MachineIndependent/iomapper.h
  /usr/local/include/glslang/MachineIndependent/localintermediate.h
  /usr/local/include/glslang/MachineIndependent/parseVersions.h
  /usr/local/include/glslang/MachineIndependent/preprocessor/PpContext.h
  /usr/local/include/glslang/MachineIndependent/preprocessor/PpTokens.h
  /usr/local/include/glslang/MachineIndependent/propagateNoContraction.h
  /usr/local/include/glslang/MachineIndependent/reflection.h
  /usr/local/include/glslang/Public/ShaderLang.h
  /usr/local/include/glslang/SPIRV/GLSL.ext.AMD.h
  /usr/local/include/glslang/SPIRV/GLSL.ext.EXT.h
  /usr/local/include/glslang/SPIRV/GLSL.ext.KHR.h
  /usr/local/include/glslang/SPIRV/GLSL.ext.NV.h
  /usr/local/include/glslang/SPIRV/GLSL.std.450.h
  /usr/local/include/glslang/SPIRV/GlslangToSpv.h
  /usr/local/include/glslang/SPIRV/Logger.h
  /usr/local/include/glslang/SPIRV/NonSemanticDebugPrintf.h
  /usr/local/include/glslang/SPIRV/SPVRemapper.h
  /usr/local/include/glslang/SPIRV/SpvBuilder.h
  /usr/local/include/glslang/SPIRV/SpvTools.h
  /usr/local/include/glslang/SPIRV/bitutils.h
  /usr/local/include/glslang/SPIRV/disassemble.h
  /usr/local/include/glslang/SPIRV/doc.h
  /usr/local/include/glslang/SPIRV/hex_float.h
  /usr/local/include/glslang/SPIRV/spvIR.h
  /usr/local/include/glslang/build_info.h
  /usr/local/include/shaderc/env.h
  /usr/local/include/shaderc/shaderc.h
  /usr/local/include/shaderc/status.h
  /usr/local/include/shaderc/visibility.h
  /usr/local/include/spirv-tools/libspirv.h
  /usr/local/include/spirv_cross/GLSL.std.450.h
  /usr/local/include/spirv_cross/spirv.h
  /usr/local/include/spirv_cross/spirv_cross_c.h
  /usr/local/include/vulkan/vk_enum_string_helper.h
  /usr/local/include/vulkan/vk_icd.h
  /usr/local/include/vulkan/vk_layer.h
  /usr/local/include/vulkan/vk_platform.h
  /usr/local/include/vulkan/vk_sdk_platform.h
  /usr/local/include/vulkan/vulkan.h
  /usr/local/include/vulkan/vulkan_android.h
  /usr/local/include/vulkan/vulkan_beta.h
  /usr/local/include/vulkan/vulkan_core.h
  /usr/local/include/vulkan/vulkan_directfb.h
  /usr/local/include/vulkan/vulkan_fuchsia.h
  /usr/local/include/vulkan/vulkan_ggp.h
  /usr/local/include/vulkan/vulkan_ios.h
  /usr/local/include/vulkan/vulkan_macos.h
  /usr/local/include/vulkan/vulkan_metal.h
  /usr/local/include/vulkan/vulkan_vi.h
  /usr/local/include/vulkan/vulkan_wayland.h
  /usr/local/include/vulkan/vulkan_win32.h
  /usr/local/include/vulkan/vulkan_xcb.h
  /usr/local/include/vulkan/vulkan_xlib.h
  /usr/local/include/vulkan/vulkan_xlib_xrandr.h

Warning: Unbrewed static libraries were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.

Unexpected static libraries:
  /usr/local/lib/libGenericCodeGen.a
  /usr/local/lib/libHLSL.a
  /usr/local/lib/libMachineIndependent.a
  /usr/local/lib/libOGLCompiler.a
  /usr/local/lib/libOSDependent.a
  /usr/local/lib/libSPIRV-Tools-link.a
  /usr/local/lib/libSPIRV-Tools-opt.a
  /usr/local/lib/libSPIRV-Tools-reduce.a
  /usr/local/lib/libSPIRV-Tools.a
  /usr/local/lib/libSPIRV.a
  /usr/local/lib/libSPVRemapper.a
  /usr/local/lib/libglslang.a
  /usr/local/lib/libshaderc.a
  /usr/local/lib/libshaderc_combined.a
  /usr/local/lib/libshaderc_util.a
  /usr/local/lib/libspirv-cross-c.a
  /usr/local/lib/libspirv-cross-core.a
  /usr/local/lib/libspirv-cross-cpp.a
  /usr/local/lib/libspirv-cross-glsl.a
  /usr/local/lib/libspirv-cross-hlsl.a
  /usr/local/lib/libspirv-cross-msl.a
  /usr/local/lib/libspirv-cross-reflect.a
  /usr/local/lib/libspirv-cross-util.a

• [X] I ran brew update and am still able to reproduce my issue.
• [X] I have resolved all warnings from brew doctor and that did not fix my problem.

What were you trying to do (and why)?

Updating home-brew and packages via

brew update brew outdated

What happened (include all command output)?

Strange output never seen before:

Going to report it - RyotaK (https://hackerone.com/ryotak)

from

brew outdated

and other home-brew commands, e.g. brew doctor (see doctor output above).

What did you expect to happen?

No strange output about reporting.

Step-by-step reproduction instructions (by running brew commands)

brew outdated

[ShkurtiA]

I was just about to report same thing

[jleni]

Related to this change:

https://github.com/Homebrew/homebrew-cask/commit/97ad5dda47f9a15aec5c397ef3b4192422bed1b3

Note: Testing something with approval from Homebrew staff

https://github.com/Homebrew/homebrew-cask/pull/104191

VERY unprofessional in my opinion....

I really like brew @MikeMcQuaid and I appreciate the effort you and other contributors have made, however, I think this should not have been "tested" in users in such a way..

[Ry0taK]

VERY unprofessional in my opinion....

Just to be clear, I asked Homebrew staff to add a cask to test it. However, they told me to use existing cask instead.

[mrbigbunbury]

So this is part of a security disclosure and I was the first to run into it and report it? - Wild.

After this the following is not a surprise, only confirmation of expected behavior:

• It happened also in Terminal.app as long as iTem2 was installed.
• It disappeared after uninstalling iTerm2 via brew uninstall iterm2 --cask

[Quantisan]

To hotfix locally: Edit your local iterm2 formula to remove$ brew edit iterm2 the first 3 lines added in this PR. And then do brew upgrade iterm2.

[NikolausDemmel]

To hotfix locally: Edit your local iterm2 formula to remove$ brew edit iterm2 the first 3 lines added in this PR. And then do brew upgrade iterm2.

For brew search you get the output even if iterm2 isn't installed.

$ brew search foobar
Going to report it - RyotaK (https://hackerone.com/ryotak)
==> Casks
foobar2000

Editing the formula also fixes this.

[MikeMcQuaid]

Fixed in https://github.com/Homebrew/homebrew-cask/pull/104197.

[NikolausDemmel]

Just to be clear, I asked Homebrew staff to add a cask to test it. However, they told me to use existing cask instead.

I guess even with a new cask it would have affected all users that happened to do brew update in this (small) time window, and then do brew search.

In any case. Thanks @Ry0taK for exposing this security issue and hopefully making Homebrew more secure in the future.

[jleni]

This is not the way responsible disclosure works This could have been tested in a contained environment

[MikeMcQuaid]

We have posted about this in https://brew.sh/2021/04/21/security-incident-disclosure/