Closed mrbigbunbury closed 3 years ago
I was just about to report same thing
Related to this change:
https://github.com/Homebrew/homebrew-cask/commit/97ad5dda47f9a15aec5c397ef3b4192422bed1b3
Note: Testing something with approval from Homebrew staff
https://github.com/Homebrew/homebrew-cask/pull/104191
VERY unprofessional in my opinion....
I really like brew @MikeMcQuaid and I appreciate the effort you and other contributors have made, however, I think this should not have been "tested" in users in such a way..
VERY unprofessional in my opinion....
Just to be clear, I asked Homebrew staff to add a cask to test it. However, they told me to use existing cask instead.
So this is part of a security disclosure and I was the first to run into it and report it? - Wild.
After this the following is not a surprise, only confirmation of expected behavior:
brew uninstall iterm2 --cask
To hotfix locally: Edit your local iterm2 formula to remove$ brew edit iterm2
the first 3 lines added in this PR. And then do brew upgrade iterm2
.
To hotfix locally: Edit your local iterm2 formula to remove$ brew edit iterm2 the first 3 lines added in this PR. And then do brew upgrade iterm2.
For brew search
you get the output even if iterm2 isn't installed.
$ brew search foobar
Going to report it - RyotaK (https://hackerone.com/ryotak)
==> Casks
foobar2000
Editing the formula also fixes this.
Just to be clear, I asked Homebrew staff to add a cask to test it. However, they told me to use existing cask instead.
I guess even with a new cask it would have affected all users that happened to do brew update
in this (small) time window, and then do brew search
.
In any case. Thanks @Ry0taK for exposing this security issue and hopefully making Homebrew more secure in the future.
This is not the way responsible disclosure works This could have been tested in a contained environment
We have posted about this in https://brew.sh/2021/04/21/security-incident-disclosure/
brew config
outputbrew doctor
outputbrew update
and am still able to reproduce my issue.brew doctor
and that did not fix my problem.What were you trying to do (and why)?
Updating home-brew and packages via
brew update
brew outdated
What happened (include all command output)?
Strange output never seen before:
Going to report it - RyotaK (https://hackerone.com/ryotak)
from
brew outdated
and other home-brew commands, e.g.
brew doctor
(see doctor output above).What did you expect to happen?
No strange output about reporting.
Step-by-step reproduction instructions (by running
brew
commands)