Steve BellovinMar 29, 2024
If you use Homebrew on MacOS, you're affected—do 'brew update' and 'brew upgrade’.
https://infosec.exchange/@wdormann/112179988525798247
Will Dormann (@[email protected])

Just a backdoor in XZ. Nothing important. https://www.openwall.com/lists/oss-security/2024/03/29/4

Infosec Exchange
Show threadseachangedMar 30, 2024

@SteveBellovin

xz --version

to see if you have 5.6.0 or 5.6.1 installed

brew deps --tree --installed

.. to show who uses it, what you have to remove to get rid of it. In my case, it was:

brew remove curl
brew remove zstd

and then

brew uninstall --force xz

Show threadVessOnSecurity

@seachanged @SteveBellovin
Assuming that `xz` is potentially malicious and untrustworthy, running it ("xz --version") is probably not the best of ideas...

I'd recommend using strings/grep on it instead.

Mar 30, 2024 at 12:24pmWeb
Show threadSteve BellovinMar 30, 2024
@bontchev @seachanged If you use Brew, ‘brew info xz’ will tell you what version is installed.
Show threadVessOnSecurityMar 30, 2024

@SteveBellovin @seachanged
Unfortunately, I don't use MacOS.

I tried to do something like this with apt but it doesn't work, because there is no "xz" package. Instead, there is a "xz-utils" package and a "liblzma5" package containing the library that xz uses.

Also, for some reason xz installed here both in /bin and in /usr/bin, so one would probably need to use something like "type -a xz" to find all the instances and then grep them.

Show threadseachangedMar 30, 2024

@bontchev @SteveBellovin

Yes, defintely better to not run the affected component!
Fortunately, macos on m3.