Ben HolmenMar 29, 2024
Steve Bellovin
If you use Homebrew on MacOS, you're affected—do 'brew update' and 'brew upgrade’.
https://infosec.exchange/@wdormann/112179988525798247
Will Dormann (@[email protected])

Just a backdoor in XZ. Nothing important. https://www.openwall.com/lists/oss-security/2024/03/29/4

Infosec Exchange
Mar 29, 2024 at 6:08pmWeb
Show threadSchamschulaMar 29, 2024
@SteveBellovin Same for MacPorts: port sync && port upgrade outdated
Show threadSchamschulaMar 29, 2024
@SteveBellovin Note: It may take 30 minutes for the MacPorts rsync server to have the updated PortIndex. Not an issue if you are synchronizing via git.
Show threadlegraLeGraMar 29, 2024

@schamschula @SteveBellovin

So glad someone asked the macports question.

Why (oh why) am I getting notice of vulnerability via mastodon and not supreme leader nasa IT.

(Probably my computer inexplicably just won’t work come Monday.)

Show threadKarl AuerbachMar 29, 2024
@SteveBellovin Must be a lot of people doing that now because it is slow.
Show threadOzzie D, NP-hard  Mar 29, 2024

@SteveBellovin The openwall post describing the xz backdoor (https://www.openwall.com/lists/oss-security/2024/03/29/4) says it decides to modify the the build process to inject the code, with conditions including:

  • targeting only x86-64 linux
  • running as part of a debian or RPM package build
oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

Show threadEashwarMar 29, 2024

@ozdreaming This was my understanding as well.
- Linux
- x86_64
- Compiled with GCC/GNU LD (IIRC all the homebrew stuff uses Clang?)
- Implied Glibc (due to IFUNC usage)
- Built from tarballs for deb or RPM

But I suppose it doesn't hurt to just avoid using code with potential backdoors in it 🙂

Show threadJordanMar 29, 2024
@ozdreaming @SteveBellovin Yeah, it seems unlikely to be an issue on macOS (the thing they’ve found targets sshd specifically, and macOS’s sshd won’t use Homebrew’s xz), but…on principle, and with things still unknown…
Show threadMichael VilainMar 29, 2024
@SteveBellovin The current version in brew is 5.4.6 on my M1 system. I'm sure there will be an upgrade soon.
Show thread∴ esoterik ∴Mar 29, 2024
@mvilain @SteveBellovin 5.4.6 is the version it downgrades to from 5.6.1, so you are likely up to date. as @jrose said, macos/M1 are not believed to be affected but better safe than sorry!
Show threadLyle Solla-YatesMar 29, 2024
@SteveBellovin Thank you for that helpful translation
Show threadRuss CoxMar 29, 2024
@SteveBellovin I've wondered this for a long time, always assumed it was a dumb question, but I might as well ask it anyway: why do or should we trust Homebrew in the first place?
Show threadSzymon NowickiMar 29, 2024
@SteveBellovin homebrew has some soldered version of xz or uses the one I see in the console under `xz --version`?
Show threadEdan Osborne 🇺🇦🇵🇸♾️Mar 29, 2024
@SteveBellovin Good thing I use PkgSrc on my macOS box
Show threadseachangedMar 30, 2024

@SteveBellovin

xz --version

to see if you have 5.6.0 or 5.6.1 installed

brew deps --tree --installed

.. to show who uses it, what you have to remove to get rid of it. In my case, it was:

brew remove curl
brew remove zstd

and then

brew uninstall --force xz

Show threadVessOnSecurityMar 30, 2024

@seachanged @SteveBellovin
Assuming that `xz` is potentially malicious and untrustworthy, running it ("xz --version") is probably not the best of ideas...

I'd recommend using strings/grep on it instead.

Show threadSteve BellovinMar 30, 2024
@bontchev @seachanged If you use Brew, ‘brew info xz’ will tell you what version is installed.
Show threadVessOnSecurityMar 30, 2024

@SteveBellovin @seachanged
Unfortunately, I don't use MacOS.

I tried to do something like this with apt but it doesn't work, because there is no "xz" package. Instead, there is a "xz-utils" package and a "liblzma5" package containing the library that xz uses.

Also, for some reason xz installed here both in /bin and in /usr/bin, so one would probably need to use something like "type -a xz" to find all the instances and then grep them.

Show threadseachangedMar 30, 2024

@bontchev @SteveBellovin

Yes, defintely better to not run the affected component!
Fortunately, macos on m3.

Show threadClemensMar 30, 2024
@seachanged @SteveBellovin not really necessary on macOS, see https://chaos.social/@neverpanic/112183630657119344 and replies.
Clemens (@[email protected])

@cy @3f @isotopp the exploit didn't target macOS, so while homebrew and macports did roll back, they were not affected by the discovered backdoor.

chaos.social
Show threadSteve BellovinMar 30, 2024
@neverpanic @seachanged At this point, I frankly don’t trust any version of xz from after this guy became the maintainer…