xz backdoored, if you use homebrew upgrade immediately

Maarten · Mar 29, 2024

In this Linux Kung Fu thread there is a report for this, but this applies to the Mac as well if you use homebrew. Please run brew update; brew upgrade immediately if you have homebrew installed. This will downgrade the xz and the lzma library to a version that is not backdoored.

If you have other package managers, please add below what action you took. As far as I know there is no xz tool installed by default on macOS.

galad · Mar 29, 2024

The exploit seems related to openssh loading the xz thru libsystemd, so it's not something that will actually work on macOS. Anyway, it's better to revert to the previous version just in case.

goates · Mar 29, 2024

With MacPorts I had to activate the 5.4.6 version first, then remove the affected one.

kenada · Mar 29, 2024

The exploit doesn’t work on macOS (as far it’s known). It relies on Linux and glibc-specific functionality to replace functions called by openssh, it only supports x86_64, and it also only injects the backdoor when it detects that it’s building for certain Linux distributions.

Maarten said:
If you have other package managers, please add below what action you took. As far as I know there is no xz tool installed by default on macOS.

For those using nixpkgs on Darwin: nixpkgs 23.11 is not affected; nixpkgs unstable has the vulnerable version, but it’s unlikely that the exploit works because nixpkgs does not link openssh to liblzma (even indirectly), and the exploit’s path checks for sshd fail because it’s in the store not at the usual path. Also, Darwin. Regardless, xz was reverted to 5.4.6 earlier today. It should show up in unstable after the current staging-next cycle completes (probably in a week or two since the reversion caused mass rebuilds).

https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405

Maarten said:
If you have other package managers, please add below what action you took. As far as I know there is no xz tool installed by default on macOS.

Apple ships liblzma but not xz. I dumped the dyld cache on macOS 14.4.1 and grepped for version strings. I get 5.4.3.

MrFry · Mar 30, 2024


brew uninstall  --zap  "xz"
Error: Refusing to uninstall /opt/homebrew/Cellar/xz/5.4.6
because it is required by aom, borgbackup, curl, ffmpeg, gallery-dl, gcc, gdk-pixbuf, ghostscript, glib, glib-networking, gobject-introspection, gsettings-desktop-schemas, harfbuzz, imagemagick, jpeg-xl, leptonica, libarchive, libheif, libmediainfo, libraw, librsvg, libtiff, little-cms2, mat2, media-info, megatools, numpy, openblas, openjpeg, openvino, poppler, pygobject3, python@3.12, rsync, tesseract, webp, yt-dlp and zstd, which are currently installed.
You can override this and force removal with:
  brew uninstall --ignore-dependencies xz

I use lots of tools that depend on "xz".
Am I really not affected as macOS user with Linux servers.

dal20402 · Mar 31, 2024

Using MacPorts on my AS machine because it gives me a more or less usable AS version of qgis3.

Just did a port upgrade outdated and, after running it, found that the active version of xz was 5.4.6. Maybe I just failed to update during the right time period, but it doesn't appear that MacPorts ever installed 5.6.0 or 5.6.1 on my system.

rodalpho · Mar 31, 2024

Not only should it not work on MacOS, it should only work on debian and fedora-derived Linux distros, so the only distro that actually shipped the trojaned version outside of betas/testing (Arch) wasn't impacted. But obviously update anyway.

Search

Search

xz backdoored, if you use homebrew upgrade immediately

Maarten

Ars Tribunus Militum

More options

galad

Ars Centurion

More options

goates

Ars Tribunus Militum

More options

kenada

Ars Legatus Legionis

More options

MrFry

Smack-Fu Master, in training

More options

dal20402

Ars Tribunus Angusticlavius

More options

rodalpho

Ars Praefectus

More options

nproxy.org