MacPorts: Remote Code Execution · Advisory · google/security-research · GitHub

A vulnerability in MacPorts allows arbitrary commands to be executed on a client machine when updating ports from a malicious or compromised mirror. The issue arises from how MacPorts validates signatures and handles Portfile extraction, potentially allowing attackers to inject malicious code. The severity is moderate, and a proof of concept demonstrates the creation of a file on the client’s machine using a modified rsync server.