brew install xz installs the outdated version 5.4.6 instead of 5.6.1

[atncsj6h]

Output of brew config

HOMEBREW_VERSION: 4.2.15
ORIGIN: https://github.com/Homebrew/brew
HEAD: 92a4311868322188478d7a90511ec0e8e6b0d7df
Last commit: 5 days ago
Core tap JSON: 29 Mar 18:18 UTC
Core cask tap JSON: 29 Mar 18:18 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 12
Homebrew Ruby: 3.1.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.1.4/bin/ruby
CPU: dodeca-core 64-bit arm_lobos
Clang: 15.0.0 build 1500
Git: 2.39.3 => /Applications/Xcode.app/Contents/Developer/usr/bin/git
Curl: 8.4.0 => /usr/bin/curl
macOS: 14.4.1-arm64
CLT: 15.3.0.0.1.1708646388
Xcode: 15.3
Rosetta 2: false

Output of brew doctor

brew doctor
Please note that these warnings are just used to help the Homebrew maintainers
with debugging if you file an issue. If everything you use Homebrew for is
working fine: please don't worry or file an issue; just ignore this. Thanks!

Warning: Unbrewed dylibs were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.

Unexpected dylibs:
  /usr/local/lib/libgmp.10.dylib
  /usr/local/lib/liblz4.1.9.4.dylib
  /usr/local/lib/liblzma.5.dylib
  /usr/local/lib/libmpfr.6.dylib
  /usr/local/lib/libzstd.1.5.5.dylib

Warning: Unbrewed header files were found in /usr/local/include.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.

Unexpected header files:
  /usr/local/include/bash/alias.h
  /usr/local/include/bash/array.h
  /usr/local/include/bash/arrayfunc.h
  /usr/local/include/bash/assoc.h
  /usr/local/include/bash/bashansi.h
  /usr/local/include/bash/bashintl.h
  /usr/local/include/bash/bashjmp.h
  /usr/local/include/bash/bashtypes.h
  /usr/local/include/bash/builtins.h
  /usr/local/include/bash/builtins/bashgetopt.h
  /usr/local/include/bash/builtins/builtext.h
  /usr/local/include/bash/builtins/common.h
  /usr/local/include/bash/builtins/getopt.h
  /usr/local/include/bash/command.h
  /usr/local/include/bash/config-bot.h
  /usr/local/include/bash/config-top.h
  /usr/local/include/bash/config.h
  /usr/local/include/bash/conftypes.h
  /usr/local/include/bash/dispose_cmd.h
  /usr/local/include/bash/error.h
  /usr/local/include/bash/execute_cmd.h
  /usr/local/include/bash/externs.h
  /usr/local/include/bash/general.h
  /usr/local/include/bash/hashlib.h
  /usr/local/include/bash/include/ansi_stdlib.h
  /usr/local/include/bash/include/chartypes.h
  /usr/local/include/bash/include/filecntl.h
  /usr/local/include/bash/include/gettext.h
  /usr/local/include/bash/include/maxpath.h
  /usr/local/include/bash/include/memalloc.h
  /usr/local/include/bash/include/ocache.h
  /usr/local/include/bash/include/posixdir.h
  /usr/local/include/bash/include/posixjmp.h
  /usr/local/include/bash/include/posixstat.h
  /usr/local/include/bash/include/posixtime.h
  /usr/local/include/bash/include/posixwait.h
  /usr/local/include/bash/include/shmbchar.h
  /usr/local/include/bash/include/shmbutil.h
  /usr/local/include/bash/include/shtty.h
  /usr/local/include/bash/include/stat-time.h
  /usr/local/include/bash/include/stdc.h
  /usr/local/include/bash/include/systimes.h
  /usr/local/include/bash/include/typemax.h
  /usr/local/include/bash/include/unionwait.h
  /usr/local/include/bash/jobs.h
  /usr/local/include/bash/make_cmd.h
  /usr/local/include/bash/pathnames.h
  /usr/local/include/bash/quit.h
  /usr/local/include/bash/shell.h
  /usr/local/include/bash/sig.h
  /usr/local/include/bash/siglist.h
  /usr/local/include/bash/signames.h
  /usr/local/include/bash/subst.h
  /usr/local/include/bash/syntax.h
  /usr/local/include/bash/unwind_prot.h
  /usr/local/include/bash/variables.h
  /usr/local/include/bash/version.h
  /usr/local/include/bash/xmalloc.h
  /usr/local/include/bash/y.tab.h
  /usr/local/include/gmp.h
  /usr/local/include/gnumake.h
  /usr/local/include/lz4.h
  /usr/local/include/lz4frame.h
  /usr/local/include/lz4frame_static.h
  /usr/local/include/lz4hc.h
  /usr/local/include/lzma.h
  /usr/local/include/lzma/base.h
  /usr/local/include/lzma/bcj.h
  /usr/local/include/lzma/block.h
  /usr/local/include/lzma/check.h
  /usr/local/include/lzma/container.h
  /usr/local/include/lzma/delta.h
  /usr/local/include/lzma/filter.h
  /usr/local/include/lzma/hardware.h
  /usr/local/include/lzma/index.h
  /usr/local/include/lzma/index_hash.h
  /usr/local/include/lzma/lzma12.h
  /usr/local/include/lzma/stream_flags.h
  /usr/local/include/lzma/version.h
  /usr/local/include/lzma/vli.h
  /usr/local/include/mpf2mpfr.h
  /usr/local/include/mpfr.h
  /usr/local/include/zdict.h
  /usr/local/include/zstd.h
  /usr/local/include/zstd_errors.h

Warning: Unbrewed '.la' files were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.

Unexpected '.la' files:
  /usr/local/lib/libgmp.la
  /usr/local/lib/liblzma.la
  /usr/local/lib/libmpfr.la

Warning: Unbrewed '.pc' files were found in /usr/local/lib/pkgconfig.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.

Unexpected '.pc' files:
  /usr/local/lib/pkgconfig/bash.pc
  /usr/local/lib/pkgconfig/gmp.pc
  /usr/local/lib/pkgconfig/liblz4.pc
  /usr/local/lib/pkgconfig/liblzma.pc
  /usr/local/lib/pkgconfig/libzstd.pc
  /usr/local/lib/pkgconfig/mpfr.pc

Warning: Unbrewed static libraries were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.

Unexpected static libraries:
  /usr/local/lib/libgmp.a
  /usr/local/lib/liblz4.a
  /usr/local/lib/liblzma.a
  /usr/local/lib/libmpfr.a
  /usr/local/lib/liby.a
  /usr/local/lib/libzstd.a

Description of issue

until 2 hours ago before an update/upgrade
brew info xz was reporting
xz: stable 5.6.1 (bottled)

after a
brew update
the brew upgrade reported
upgrading from 5.6.1 to 5.4.1

and as expected
brew info xz
is reporting
xz: stable 5.4.6 (bottled)

ls -l ~/Library/caches/homebrew has both versions

lrwxr-xr-x 1 enrico staff 112B Mar 29 19:24 xz--5.4.6
lrwxr-xr-x 1 enrico staff 112B Mar 10 10:19 xz--5.6.1

uninstalled homebrew
reinstalled everyting from scratch
brew install xz installs the outdated version

[Bo98]

This is intentional as 5.6.x is untrusted: https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/ (see https://www.openwall.com/lists/oss-security/2024/03/29/4 for technical details)

To be clear: we don't believe Homebrew's builds were compromised (the backdoor only applied to deb and rpm builds) but 5.6.x is being treated as no longer trustworthy and as a precaution we are forcing downgrades to 5.4.6.

[SMillerDev]

Is anyone looking into this further to validate?

Probably, but while the Homebrew team is good at packaging software for Homebrew it's not necessarily a team of security experts. If you want to know for sure Homebrew isn't affected you'll need to find a way to audit that for yourself.

My concerns is that the backdoor on servers allows of RCE or the attacker to SSH into any server.
The backdoor on client devices may be exporting private keys to the attacker.
Perhaps a security researcher can use Little Snitch to test what happens,

Perhaps, we'd have to wait for a security researcher to come by here and take your suggestion.

or look at the binaries and compare them with the built-from-source binaries to see if they match?

That wouldn't matter. Homebrew binaries are build from source and the exploit was included in the upstream build definition in the release tarballs.

It would be important to audit the homebrew versions of xz also, isn't it?

If you depend on it, sure. I'm sure a lot of people will be looking into XZ in the time to come, but in the end Homebrew is not a security team.

[quackerex]

From homebrew FAQ

You should only ever sudo a tool you trust. Of course, you can trust Homebrew 😉 — but do you trust the multi-megabyte Makefile that Homebrew runs? Developers often understand C++ far better than they understand make syntax. It’s too high a risk to sudo such stuff. It could modify (or upload) any files on your system. And indeed, we’ve seen some build scripts try to modify /usr even when the prefix was specified as something else entirely.

We use the macOS sandbox to stop this but this doesn’t work when run as the root user (which also has read and write access to almost everything on the system).

Will the macOS sandbox help prevent this backdoor?

[quackerex]

Maintainer of the MacPorts xz port also came to same conclusion:

I've spent some time reading the various discussions about this incident and this was not a typical security issue caused by buggy code. Instead, malicious code was deliberately added to the xz project in small pieces over a period of months or years, culminating in the release of xz 5.6.0 containing an exploit targeting x86_64 Debian Linux users by injecting code into sshd processes. xz 5.6.1 "improved" the code by making the exploit harder to detect. This particular exploit does not affect macOS but we don't yet know if there are other yet-undiscovered vulnerabilities that could affect macOS.

[christoofar]

In the Debian target that everyone knows about:

The build_to_host.m4 is ONLY on the upstream git, where it would have been pulled in to make the poison tarball, and Jia removed it from the origin repo that you see on GitHub. He put it as its own .gitignore commit, too.

So the question I have is: how did Homebrew make this, exactly? Straight from the published GitHub repo?

If so, then Homebrew was always fine, well... I don't think I want Jia's "enhancements" anymore or anything else he touched, and I think most people are thinking the same.

Anyway: a ton of shit in the payload .o is heavily dependent on frame offsets which have no bearing on other archs, so usually for ARMbians that means code relying on offsets found in one matrix of compiler+arch would have to have been duplicated to target the other compiler+arch because the GOT is going to look different. To do multiarch you would have to pack arch specific lib drops and bloat the test blobs up even more.

It's worth a look anyway to run this down, because maybe he did have plans for an BSD+arm64 variant. He certainly was quite aware of libs like Capsicum that were linked and used in file_io.c, which is a quicky-way to ask for sandbox-style protections when you enter an operation that might be juicy for hijacking. When Jia entered the scene, then Jia noticed that the Linux implementation of Capsicum went dormant so he de-linked from it when he did his CMake refactoring around the entire codebase.

EDIT: I only brought this up because I don't know the build process brew uses but I did search around; pulling from the origin repo to build direct absolutely would have never brought in/unpacked the .o payload to compile it in. Pulling done-tarballs from upstream/debian, etc to get the build_to_host.m4 script and reproducing the conditions of the deb/rpm folders it hunts for, doing it on x64, etc, is the only way the .o payload gets in. And there's no multiarch, IFUNC, etc.

But that was for this one SCA... a discussion still needs to be had about future-mal that may come down the pike that specifically goes after BSD+arm64. Or any arm64, what have you.

[christoofar]

The RE effort so far is revealing that the exploit intended to weaken the RSA keycheck verification to look for a certificate-style key that's host-specific which the attacker can later present a pubkey and payload for and be allowed in. As in: it's truly a real backdoor.

Here's some more detail about that part of the exploit, including a honeypot which can be setup to look for sshd scanners and a test/probe proofing tool to demonstrate RCE:

https://github.com/amlweems/xzbot/tree/main?tab=readme-ov-file#backdoor-format

[atncsj6h]

thank You!

[neoneye]

Question: Shouldn't the dangerous 5.6.1 files be wiped?

After brew upgrade, there is still remains on my computer of the 5.6.1 in the cache.

PROMPT> ls -l ~/Library/caches/homebrew | grep xz   
lrwxr-xr-x    1 neoneye  staff       112 Mar 30 00:37 xz--5.4.6 -> downloads/a8def111ef35d2c9d46e56ff2c6c7b623b61be0f395014454e9f11db2db16981--xz--5.4.6.arm64_sonoma.bottle.tar.gz
lrwxr-xr-x    1 neoneye  staff       112 Mar 12 21:29 xz--5.6.1 -> downloads/0e0aec6661183ecb640ab65fdea4d5387cd8029dbe702b0b4801030e148df690--xz--5.6.1.arm64_sonoma.bottle.tar.gz
lrwxr-xr-x    1 neoneye  staff       105 Mar 30 00:37 xz_bottle_manifest--5.4.6 -> downloads/b2cc4077807c100af6e0253f51d186f187ff55165638cbe3a4aa16d1c4762660--xz-5.4.6.bottle_manifest.json
lrwxr-xr-x    1 neoneye  staff       105 Mar 12 21:31 xz_bottle_manifest--5.6.1 -> downloads/bc72ad1aed6fc861afaf3fd0af8266ea2913cb871cfdcbeef0c228afb9826c72--xz-5.6.1.bottle_manifest.json

After the brew upgrade, I now have the downgraded version.

PROMPT> xz --version
xz (XZ Utils) 5.4.6
liblzma 5.4.6

My config

PROMPT> brew config
HOMEBREW_VERSION: 4.2.15
ORIGIN: https://github.com/Homebrew/brew
HEAD: 92a4311868322188478d7a90511ec0e8e6b0d7df
Last commit: 5 days ago
Core tap JSON: 29 Mar 23:36 UTC
Core cask tap JSON: 29 Mar 23:36 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: /Users/neoneye/bin/mate -w
HOMEBREW_MAKE_JOBS: 10
Homebrew Ruby: 3.1.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.1.4/bin/ruby
CPU: 10-core 64-bit arm_firestorm_icestorm
Clang: 15.0.0 build 1500
Git: 2.39.3 => /Applications/Xcode.app/Contents/Developer/usr/bin/git
Curl: 8.1.2 => /usr/bin/curl
macOS: 14.1.2-arm64
CLT: 15.3.0.0.1.1708646388
Xcode: 15.3
Rosetta 2: false

[Bo98]

The second commit in Homebrew/brew#16977 should fix the need for the --prune flag. Will probably release 4.2.16 tomorrow with it.

[Moulick]

I run brew cleanup -v -s --prune=all with every brew upgrade/update just to keep everything tidy :). Maybe I trust brew too much :D

[webfolderio]

If you want real solution, compile your projects from source. I have never used brew.

[nevotheless]

@webfolderio What a place to put that as an answer to a problem lmao.

[Crapshit]

irony on
@nevotheless but hey @webfolderio will never compile any backdoor in his binaries. Never, because he will read the entire source code which he is compiling. In every programming language which is out there. So no never and ever.
irony off

[smailpengzai]

brew info xz
brew cleanup xz --prune=0
brew reinstall xz
brew cleanup
brew info xz
xz --version

这些命令跑完基本就回退了

[alexrecuenco]

You must run brew update before running these commands by @smailpengzai .

[porg]

Downgrading xz (compiled, not bottled) on unsupported macOS 11 Big Sur - Seems to work

brew update
brew info xz
brew cleanup xz --prune=0
brew reinstall xz
brew cleanup
brew info xz
xz --version

• ✅ Successfully downgraded xz to 5.4.6.
• ✅ Successfully removed malicious source-tarballs and install-directory:
  • In ~/Library/Caches/Homebrew/ it removed xz--5.6.0.tar.gz and xz--5.6.1.tar.gz
  • In /usr/local/Cellar/xz/ it removed 5.6.0/ entirely
  • 💡 On newer systems, this seems to have not worked according to @Bo98

    Ok thanks, I think I see what the issue is - there's an element of brew cleanup that doesn't support downgrades. It's tricky to fix but will see what I can do for 4.2.16.

Log

• Note: All actions and all responses contained.
• Shortened repetitive lines which list every single package (irrelevant for the issue at hand)

➜  ~ date
Sun Mar 31 16:12:34 CEST 2024

➜  ~ sw_vers
ProductName:	macOS
ProductVersion:	11.7.10
BuildVersion:	20G1427

➜  ~ brew --version
Homebrew 4.2.15

➜  ~ brew info xz  
==> xz: stable 5.6.1
General-purpose data compression with high compression ratio
https://xz.tukaani.org/xz-utils/
/usr/local/Cellar/xz/5.6.0 (166 files, 2.6MB)
  Built from source on 2024-03-07 at 12:08:26
/usr/local/Cellar/xz/5.6.1 (166 files, 2.7MB) *
  Built from source on 2024-03-10 at 08:49:28
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/x/xz.rb
License: 0BSD and LGPL-2.1-or-later and GPL-2.0-or-later and GPL-3.0-or-later
==> Analytics
install: 355,234 (30 days), 779,211 (90 days), 3,046,474 (365 days)
install-on-request: 83,505 (30 days), 175,458 (90 days), 526,629 (365 days)
build-error: 1,401 (30 days)


➜  ~ brew update
==> Updating Homebrew...
Updated 2 taps (homebrew/cask-versions and homebrew/services).
==> Outdated Formulae
abseil

[...]

xz

==> Outdated Casks
libreoffice

You have 60 outdated formulae and 1 outdated cask installed.
You can upgrade them with brew upgrade
or list them with brew outdated.

➜  ~ brew info xz
==> xz: stable 5.4.6
General-purpose data compression with high compression ratio
https://xz.tukaani.org/xz-utils/
/usr/local/Cellar/xz/5.6.0 (166 files, 2.6MB)
  Built from source on 2024-03-07 at 12:08:26
/usr/local/Cellar/xz/5.6.1 (166 files, 2.7MB) *
  Built from source on 2024-03-10 at 08:49:28
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/x/xz.rb
License: Public Domain and GPL-2.0-or-later
==> Analytics
install: 355,234 (30 days), 779,211 (90 days), 3,046,474 (365 days)
install-on-request: 83,505 (30 days), 175,458 (90 days), 526,629 (365 days)
build-error: 1,401 (30 days)

➜  ~ brew cleanup xz --prune=0
Warning: Skipping xz: most recent version 5.4.6 not installed
Removing: /Users/me/Library/Caches/Homebrew/xz--5.6.0.tar.gz... (2.9MB)
Removing: /Users/me/Library/Caches/Homebrew/xz--5.6.1.tar.gz... (2.9MB)
==> This operation has freed approximately 5.8MB of disk space.

➜  ~ brew reinstall xz
Warning: You are using macOS 11.
We (and Apple) do not provide support for this old version.
It is expected behaviour that some formulae will fail to build in this old version.
It is expected behaviour that Homebrew will be buggy and slow.
Do not create any issues about this on Homebrew's GitHub repositories.
Do not create any issues even if you think this message is unrelated.
Any opened issues will be immediately closed without response.
Do not ask for help from Homebrew or its maintainers on social media.
You may ask for help in Homebrew's discussions but are unlikely to receive a response.
Try to figure out the problem yourself and submit a fix as a pull request.
We will review it but may or may not accept it.

==> Fetching xz
==> Downloading https://raw.githubusercontent.com/Homebrew/homebrew-core/e2774eaf717789f9c87c92aaaf32
############################################################################################## 100.0%
==> Downloading https://downloads.sourceforge.net/project/lzmautils/xz-5.4.6.tar.gz
==> Downloading from https://netix.dl.sourceforge.net/project/lzmautils/xz-5.4.6.tar.gz
############################################################################################## 100.0%
==> Reinstalling xz 
==> ./configure --disable-silent-rules --disable-nls
==> make check
==> make install
🍺  /usr/local/Cellar/xz/5.4.6: 163 files, 2.6MB, built in 1 minute 11 seconds
==> Running `brew cleanup xz`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
Removing: /usr/local/Cellar/xz/5.6.0... (166 files, 2.6MB)
Warning: The following dependents of upgraded formulae are outdated but will not
be upgraded because they are not bottled:
  vim
  lit

  [...]

==> No outdated dependents to upgrade!
==> Checking for dependents of upgraded formulae...
Disable this behaviour by setting HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
==> No broken dependents to reinstall!
➜  ~ brew cleanup
Warning: Skipping abseil: most recent version 20240116.1 not installed
Removing: /Users/me/Library/Caches/Homebrew/abseil--20230802.1... (1.5MB)
Warning: Skipping aom: most recent version 3.8.2 not installed
Warning: Skipping c-ares: most recent version 1.28.0 not installed
Removing: /Users/me/Library/Caches/Homebrew/c-ares--1.27.0.tar.gz... (1.2MB)
Removing: /usr/local/Cellar/ca-certificates/2023-12-12... (3 files, 226.7KB)
Removing: /Users/me/Library/Caches/Homebrew/ca-certificates--2023-12-12... (127.7KB)

[...]

Removing: /Users/me/Library/Caches/Homebrew/yt-dlp--2023.12.30.tar.gz... (2.6MB)
Warning: Skipping zstd: most recent version 1.5.6 not installed
Removing: /Users/me/Library/Caches/Homebrew/go_mod_cache... (768B)
Removing: /Users/me/Library/Caches/Homebrew/shaderc--2023.8.tar.gz... (221.9KB)
Removing: /Users/me/Library/Caches/Homebrew/ffmpeg--patch--57e26caced5a1382cb639235f9555fc50e45e7bf8333f7c9ae3d49b3241d3f77.patch... (1.2KB)
Removing: /Users/me/Library/Caches/Homebrew/openvino--ade--0.1.2.tar.gz... (114.3KB)
Removing: /Users/me/Library/Caches/Homebrew/openvino--2023.3.0.tar.gz... (48.2MB)

[...]

e66586ab5c97ef05daacfe079bf5bdb7c085f107/Formula/px.rb... (1.5KB)
Removing: /Users/me/Library/Caches/Homebrew/api-source/Homebrew/homebrew-core/e66586ab5c97ef05daacfe079bf5bdb7c085f107/Formula/sqlite.rb... (2.9KB)
Pruned 0 symbolic links and 8 directories from /usr/local
Removing: /usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/2.6.10_1... (1,393 files, 24.2MB)
Removing: /usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/2.6.8... (1,393 files, 24.5MB)
Removing: /usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/2.6.8_1... (1,393 files, 24.4MB)
==> This operation has freed approximately 1.9GB of disk space.

➜  ~ brew info xz
==> xz: stable 5.4.6
General-purpose data compression with high compression ratio
https://xz.tukaani.org/xz-utils/
/usr/local/Cellar/xz/5.4.6 (163 files, 2.6MB) *
  Built from source on 2024-03-31 at 16:27:22
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/x/xz.rb
License: Public Domain and GPL-2.0-or-later
==> Analytics
install: 355,059 (30 days), 779,298 (90 days), 3,046,488 (365 days)
install-on-request: 83,456 (30 days), 175,487 (90 days), 526,658 (365 days)
build-error: 1,400 (30 days)

➜  ~ xz --version 
xz (XZ Utils) 5.4.6
liblzma 5.4.6

[imhalid]

thanks @porg

[jazzilicious]

brew info xz
==> xz: stable 5.4.6 (bottled)
General-purpose data compression with high compression ratio
https://xz.tukaani.org/xz-utils/

This is still referencing the compromised subdoman xz.tukaani.org which the attacker Jia Tan controls. The original URL was tukaani.org/xz which was controlled by Lasse Collin. Here's his message confirming that the attacker controlled the xz subdomain: https://tukaani.org/xz-backdoor/

Here's the attacker asking oss-fuzz to change the url from tukaani.org/xz to xz.tukaani.org: https://twitter.com/WhichbufferArda/status/1773829481645457798

[porg]

• The output of brew info xz for v5.4.6 comes from what's contained in the package manifest, which comes from the brew repo, right?
  • So you don't suggest that v5.4.6 may also contain malicious code or at least untrustworthy URLs?
  • But that the corresponding metadata in some repos (brew and what project oss-fuzz says about project xz in a YAML file, as visible in the screenshot of your linked tweet) still contain untrustworthy URLs, and that the repo managers should correct those.

[jazzilicious]

I'm sorry I don't know where the URL in brew info output comes from. Just highlighting that it is a bad URL, which incidentally has been taken down (probably by Github, which was serving the subdomain).

[p-linnane]

According to https://tukaani.org/xz-backdoor/:

xz.tukaani.org DNS name (CNAME) has been removed. The XZ projects currently don’t have a home page. This will be fixed in a few days.

We will update the homepage once a new one emerges. There is no harm in having that dead link until upstream provides a new one.

[realizelol]

Meanwhile I think there's a little audit proof which can be done via macOS Terminal:

{ find /usr/local/lib -maxdepth 2 -iname "*liblzma*" 2>/dev/null | while read -r liblzma_path; do
hexdump -ve '1/1 "%.2x"' "${liblzma_path}"; done; } \
  | grep 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'

Adaption to macOS of the following source:
https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh

I've first downgraded to 5.4.6, now the output is "nothing". If it finds the grep'ed string the installed version is vulnerable?!
Maybe someone has 6.x.x and can run that audit proof before doing a downgrade?

Thank you @porg for the downgrade instructions.

---

Also it should be possible to compare ssh connections (please do not connect to other machines!):
time nonexistant@127.0.0.1; time nonexistant@127.0.0.1; time nonexistant@127.0.0.1
then do a downgrade and re-run the previous script again, are there any time differences? (faster)
But I think this wouldn't work, as the TERM variable is set which will abort vulnerable execution.
Also the server (sshd) has to be started.

Observed requirements for the exploit:

a) TERM environment variable is not set
b) argv[0] needs to be /usr/sbin/sshd
c) LD_DEBUG, LD_PROFILE are not set
d) LANG needs to be set
e) Some debugging environments, like rr, appear to be detected. Plain gdb
appears to be detected in some situations, but not others

-- if I understand it correctly the list could be extended for macOS by: --

f) openssh-server (sshd) needs to be started [unattended] -> otherwise TERM is included.
e) macOS doesn't use systemd. -> But actually it needs more research to be 100% clear.

Source:
https://www.openwall.com/lists/oss-security/2024/03/29/4

Or am I completely misunderstand this backdoor?

[Bo98]

There's also conditions for it to actually make it into the binary: https://www.openwall.com/lists/oss-security/2024/03/29/4/1.

The understanding of that is why it seems to be deb and RPM specific. ifuncs are also not supported on macOS.

[MirageTurtle]

Thanks for your downgrade instructions! @porg

[doodlesun]

@Bo98 I have a question just for my understanding of the brew info command.
If I run brew info xz and I have not updated my homebrew installation and I am currently offline it could show something like:
==> xz: stable 5.6.1 (bottled)
and later down
/opt/homebrew/Cellar/xz/5.4.6

Does that mean the current formula from where I last updated brew is still referencing to the malicious version upstream, but I have the safe version installed? Because I have read several threads were people were using brew info xz to determine their version, but the installed version might actually be different than the first line of the output.

[Bo98]

When you update Homebrew, you get a local copy of the version information ("Core tap JSON" in brew config). The first line is the latest available version according to that data. It's the version you'd get if you did brew install/upgrade xz (though those commands run auto-update by default so that would change to 5.4.6 when that happens unless you have that disabled).

The path is the version you actually have installed. It's possible to have multiple, in which case the active one has a * at the end of the line. Most of the time though you'll only have one version.

So in your case, you have xz 5.4.6 installed.

[doodlesun]

Thanks for the response! :)

As a suggestion: It might be useful to highlight the installed version or add something like Installed version:
I have seen a few people use the first information to determine which version they have installed, which could be problematic.

[nodeover]

Wow! Thanks to Homebrew's swift action, my PC was saved! Truly appreciate the quick and careful response to ensure our systems stay secure.

[realizelol]

There are some reverse engineered steps by Kaspersky:
https://securelist.com/xz-backdoor-story-part-1/112354/

The latest commit by LiaT75 is: tukaani-project/xz@af071ef
The latest workflow by LiaT75 is: https://github.com/tukaani-project/xz/actions/runs/8435679174
Searching for build-to-host.m4|bad-3-corrupt_lzma2.xz|good-large_compressed.lzma in the latest workflows didn't give any results.
So it seems like the vulnerable files weren't side-loaded in any way to github's workflow (binary building process to github releases).
Homebrew only downloaded github releases never the malformed releases via the website https:// xz . tukaani . org.
But have the newer tarballs already have been deleted, now?!: https://github.com/tukaani-project/xz/releases

Commits for changes to xz on homebrew (to re-check yourself that xz wasn't downloaded via https:// xz . tukaani . org:
Homebrew/homebrew-core@51674c9
Homebrew/homebrew-core@e5c8877
Homebrew/homebrew-core@67f482b
Homebrew/homebrew-core@952462a
Homebrew/homebrew-core@a72651f
Homebrew/homebrew-core@7c7e858

But first off all:

• If ever a vulnerable tarball has been downloaded it would never be executed on macOS as in the build process the vulnerable file build-to-host.m4 checks for "Linux" in uname: uname | grep -i Linux(no output as it's Darwin on macOS) if it hasn't been found further process is stopped via exit 0. So the patching has been stopped and leaves a clean binary on macOS.
• SSH Port should be blocked by your firewall / router. (You have to do a port forwarding to your macOS device by yourself)
• SSH Daemon isn't automatically enabled on macOS. Check it's running by:ps aux | grep sshd | grep -v grep or pgrep -lf sshd or sudo launchctl list | grep sshd
• SSH Daemon on macOS isn't launched via systemd. (macOS = "non-systemd-operating-system") macOS launcher is: launchd
  • Check via find / -iname "*libsystemd*" 2>/dev/null output will be empty. Or check if lzma is loaded with sshd:
  • expand

      sshd      330               root  cwd       DIR                1,4      640                   2 /
      sshd      330               root  txt       REG                1,4  1674320 1152921500312790112 /usr/sbin/sshd
      sshd      330               root  txt       REG                1,4    46988         12884951623 /Library/Preferences/Logging/.plist-cache.ru83lBLj
      sshd      330               root  txt       REG                1,4   208016 1152921500312783176 /usr/lib/pam/pam_opendirectory.so.2
      sshd      330               root  txt       REG                1,4   150944 1152921500312783172 /usr/lib/pam/pam_nologin.so.2
      sshd      330               root  txt       REG                1,4   195904 1152921500312783164 /usr/lib/pam/pam_krb5.so.2
      sshd      330               root  txt       REG                1,4   156960 1152921500312783174 /usr/lib/pam/pam_ntlm.so.2
      sshd      330               root  txt       REG                1,4   157808 1152921500312783170 /usr/lib/pam/pam_mount.so.2
      sshd      330               root  txt       REG                1,4   151840 1152921500312783166 /usr/lib/pam/pam_launchd.so.2
      sshd      330               root  txt       REG                1,4   168560 1152921500312349767 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/AppSSOLocatePlugin_macOS.bundle/Contents/MacOS/AppSSOLocatePlugin_macOS
      sshd      330               root  txt       REG                1,4   151120 1152921500312783182 /usr/lib/pam/pam_sacl.so.2
      sshd      330               root  txt       REG                1,4   168144 1152921500312349756 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/AppSSOConfigPlugin_macOS.bundle/Contents/MacOS/AppSSOConfigPlugin_macOS
      sshd      330               root  txt       REG                1,4   169424 1152921500312349799 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/heimdalodpac.bundle/Contents/MacOS/heimdalodpac
      sshd      330               root  txt       REG                1,4   169968 1152921500312349777 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/Reachability.bundle/Contents/MacOS/Reachability
      sshd      330               root  txt       REG                1,4   169840 1152921500312349788 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/MacOS/SCKerberosConfig
      sshd      330               root  txt       REG                1,4  2177216 1152921500312783131 /usr/lib/dyld
      sshd      330               root    0r      CHR                3,2      0t0                 314 /dev/null
      sshd      330               root    1u      CHR                3,2      0t0                 314 /dev/null
      sshd      330               root    2u      CHR                3,2      0t0                 314 /dev/null
      sshd      330               root    3u    systm 0x36f27013abd3a827      0t0                     [ctl com.apple.netsrc id 6 unit 10]
      sshd      330               root    4u     IPv4 0x36f2701d4603c94f      0t0                 TCP 192.168.123.50:ssh->my-macbook.lan:53758 (ESTABLISHED)
      sshd      330               root    5u     IPv4 0x36f2701d4603c94f      0t0                 TCP 192.168.123.50:ssh->my-macbook.lan:53758 (ESTABLISHED)
      sshd      330               root    6r      REG                1,4       77         12884925090 /private/etc/security/audit_user
      sshd      330               root    7u     unix 0x36f27013aca88eb7      0t0                     ->(none)
      sshd      330               root    8r      REG                1,4      652         12884925088 /private/etc/security/audit_class
      sshd      330               root    9r      REG                1,4      358         12884925091 /private/etc/security/audit_control
      sshd      330               root   10r      REG                1,4    26649         12884925086 /private/etc/security/audit_event
      sshd      330               root   11u      CHR               15,0   0t9124                 583 /dev/ptmx
      sshd      330               root   12u     unix 0x36f27013aca88d27      0t0                     ->0x36f27013aca8bc07
      sshd      334               test  cwd       DIR                1,4      640                   2 /
      sshd      334               test  txt       REG                1,4  1674320 1152921500312790112 /usr/sbin/sshd
      sshd      334               test  txt       REG                1,4    46988         12884951623 /Library/Preferences/Logging/.plist-cache.ru83lBLj
      sshd      334               test  txt       REG                1,4   208016 1152921500312783176 /usr/lib/pam/pam_opendirectory.so.2
      sshd      334               test  txt       REG                1,4   150944 1152921500312783172 /usr/lib/pam/pam_nologin.so.2
      sshd      334               test  txt       REG                1,4   195904 1152921500312783164 /usr/lib/pam/pam_krb5.so.2
      sshd      334               test  txt       REG                1,4   156960 1152921500312783174 /usr/lib/pam/pam_ntlm.so.2
      sshd      334               test  txt       REG                1,4   157808 1152921500312783170 /usr/lib/pam/pam_mount.so.2
      sshd      334               test  txt       REG                1,4   151840 1152921500312783166 /usr/lib/pam/pam_launchd.so.2
      sshd      334               test  txt       REG                1,4   168560 1152921500312349767 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/AppSSOLocatePlugin_macOS.bundle/Contents/MacOS/AppSSOLocatePlugin_macOS
      sshd      334               test  txt       REG                1,4   151120 1152921500312783182 /usr/lib/pam/pam_sacl.so.2
      sshd      334               test  txt       REG                1,4   168144 1152921500312349756 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/AppSSOConfigPlugin_macOS.bundle/Contents/MacOS/AppSSOConfigPlugin_macOS
      sshd      334               test  txt       REG                1,4   169424 1152921500312349799 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/heimdalodpac.bundle/Contents/MacOS/heimdalodpac
      sshd      334               test  txt       REG                1,4   169968 1152921500312349777 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/Reachability.bundle/Contents/MacOS/Reachability
      sshd      334               test  txt       REG                1,4   169840 1152921500312349788 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/MacOS/SCKerberosConfig
      sshd      334               test  txt       REG                1,4  2177216 1152921500312783131 /usr/lib/dyld
      sshd      334               test    0u      CHR                3,2      0t0                 314 /dev/null
      sshd      334               test    1u      CHR                3,2      0t0                 314 /dev/null
      sshd      334               test    2u      CHR                3,2      0t0                 314 /dev/null
      sshd      334               test    3u    systm 0x36f27013abd3a827      0t0                     [ctl com.apple.netsrc id 6 unit 10]
      sshd      334               test    4u     IPv4 0x36f2701d4603c94f      0t0                 TCP 192.168.123.50:ssh->my-macbook.lan:53758 (ESTABLISHED)
      sshd      334               test    5u     IPv4 0x36f2701d4603c94f      0t0                 TCP 192.168.123.50:ssh->my-macbook.lan:53758 (ESTABLISHED)
      sshd      334               test    6r      REG                1,4       77         12884925090 /private/etc/security/audit_user
      sshd      334               test    7u     unix 0x36f27013aca88eb7      0t0                     ->(none)
      sshd      334               test    8r      REG                1,4      652         12884925088 /private/etc/security/audit_class
      sshd      334               test    9r      REG                1,4      358         12884925091 /private/etc/security/audit_control
      sshd      334               test   10r      REG                1,4    26649         12884925086 /private/etc/security/audit_event
      sshd      334               test   11u     unix 0x36f27013aca8bc07      0t0                     ->0x36f27013aca88d27
      sshd      334               test   12      PIPE 0x8ffdc2981fff8196    16384                     ->0x93ac209a072073ab
      sshd      334               test   13      PIPE 0x93ac209a072073ab    16384                     ->0x8ffdc2981fff8196
      sshd      334               test   14u      CHR               15,0   0t9124                 583 /dev/ptmx
      sshd      334               test   16u      CHR               15,0   0t9124                 583 /dev/ptmx
      sshd      334               test   17u      CHR               15,0   0t9124                 583 /dev/ptmx
      sshd      361               root  cwd       DIR                1,4      640                   2 /
      sshd      361               root  txt       REG                1,4  1674320 1152921500312790112 /usr/sbin/sshd
      sshd      361               root  txt       REG                1,4    46988         12884951623 /Library/Preferences/Logging/.plist-cache.ru83lBLj
      sshd      361               root  txt       REG                1,4   208016 1152921500312783176 /usr/lib/pam/pam_opendirectory.so.2
      sshd      361               root  txt       REG                1,4   150944 1152921500312783172 /usr/lib/pam/pam_nologin.so.2
      sshd      361               root  txt       REG                1,4   195904 1152921500312783164 /usr/lib/pam/pam_krb5.so.2
      sshd      361               root  txt       REG                1,4   156960 1152921500312783174 /usr/lib/pam/pam_ntlm.so.2
      sshd      361               root  txt       REG                1,4   157808 1152921500312783170 /usr/lib/pam/pam_mount.so.2
      sshd      361               root  txt       REG                1,4   151840 1152921500312783166 /usr/lib/pam/pam_launchd.so.2
      sshd      361               root  txt       REG                1,4   168560 1152921500312349767 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/AppSSOLocatePlugin_macOS.bundle/Contents/MacOS/AppSSOLocatePlugin_macOS
      sshd      361               root  txt       REG                1,4   151120 1152921500312783182 /usr/lib/pam/pam_sacl.so.2
      sshd      361               root  txt       REG                1,4   168144 1152921500312349756 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/AppSSOConfigPlugin_macOS.bundle/Contents/MacOS/AppSSOConfigPlugin_macOS
      sshd      361               root  txt       REG                1,4   169424 1152921500312349799 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/heimdalodpac.bundle/Contents/MacOS/heimdalodpac
      sshd      361               root  txt       REG                1,4   169968 1152921500312349777 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/Reachability.bundle/Contents/MacOS/Reachability
      sshd      361               root  txt       REG                1,4   169840 1152921500312349788 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/MacOS/SCKerberosConfig
      sshd      361               root  txt       REG                1,4  2177216 1152921500312783131 /usr/lib/dyld
      sshd      361               root    0r      CHR                3,2      0t0                 314 /dev/null
      sshd      361               root    1u      CHR                3,2      0t0                 314 /dev/null
      sshd      361               root    2u      CHR                3,2      0t0                 314 /dev/null
      sshd      361               root    3u    systm 0x36f27013abd3a7a7      0t0                     [ctl com.apple.netsrc id 6 unit 11]
      sshd      361               root    4u     IPv4 0x36f2701d4603b3ff      0t0                 TCP 192.168.123.50:ssh->my-macbook.lan:54074 (ESTABLISHED)
      sshd      361               root    5u     IPv4 0x36f2701d4603b3ff      0t0                 TCP 192.168.123.50:ssh->my-macbook.lan:54074 (ESTABLISHED)
      sshd      361               root    6r      REG                1,4       77         12884925090 /private/etc/security/audit_user
      sshd      361               root    7u     unix 0x36f27013aca8ddf7      0t0                     ->(none)
      sshd      361               root    8r      REG                1,4      652         12884925088 /private/etc/security/audit_class
      sshd      361               root    9r      REG                1,4      358         12884925091 /private/etc/security/audit_control
      sshd      361               root   10r      REG                1,4    26649         12884925086 /private/etc/security/audit_event
      sshd      361               root   11u      CHR               15,1   0t4159                 583 /dev/ptmx
      sshd      361               root   12u     unix 0x36f27013aca8df87      0t0                     ->0x36f27013aca8cb37
      sshd      364               test  cwd       DIR                1,4      640                   2 /
      sshd      364               test  txt       REG                1,4  1674320 1152921500312790112 /usr/sbin/sshd
      sshd      364               test  txt       REG                1,4    46988         12884951623 /Library/Preferences/Logging/.plist-cache.ru83lBLj
      sshd      364               test  txt       REG                1,4   208016 1152921500312783176 /usr/lib/pam/pam_opendirectory.so.2
      sshd      364               test  txt       REG                1,4   150944 1152921500312783172 /usr/lib/pam/pam_nologin.so.2
      sshd      364               test  txt       REG                1,4   195904 1152921500312783164 /usr/lib/pam/pam_krb5.so.2
      sshd      364               test  txt       REG                1,4   156960 1152921500312783174 /usr/lib/pam/pam_ntlm.so.2
      sshd      364               test  txt       REG                1,4   157808 1152921500312783170 /usr/lib/pam/pam_mount.so.2
      sshd      364               test  txt       REG                1,4   151840 1152921500312783166 /usr/lib/pam/pam_launchd.so.2
      sshd      364               test  txt       REG                1,4   168560 1152921500312349767 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/AppSSOLocatePlugin_macOS.bundle/Contents/MacOS/AppSSOLocatePlugin_macOS
      sshd      364               test  txt       REG                1,4   151120 1152921500312783182 /usr/lib/pam/pam_sacl.so.2
      sshd      364               test  txt       REG                1,4   168144 1152921500312349756 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/AppSSOConfigPlugin_macOS.bundle/Contents/MacOS/AppSSOConfigPlugin_macOS
      sshd      364               test  txt       REG                1,4   169424 1152921500312349799 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/heimdalodpac.bundle/Contents/MacOS/heimdalodpac
      sshd      364               test  txt       REG                1,4   169968 1152921500312349777 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/Reachability.bundle/Contents/MacOS/Reachability
      sshd      364               test  txt       REG                1,4   169840 1152921500312349788 /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/MacOS/SCKerberosConfig
      sshd      364               test  txt       REG                1,4  2177216 1152921500312783131 /usr/lib/dyld
      sshd      364               test    0u      CHR                3,2      0t0                 314 /dev/null
      sshd      364               test    1u      CHR                3,2      0t0                 314 /dev/null
      sshd      364               test    2u      CHR                3,2      0t0                 314 /dev/null
      sshd      364               test    3u    systm 0x36f27013abd3a7a7      0t0                     [ctl com.apple.netsrc id 6 unit 11]
      sshd      364               test    4u     IPv4 0x36f2701d4603b3ff      0t0                 TCP 192.168.123.50:ssh->my-macbook.lan:54074 (ESTABLISHED)
      sshd      364               test    5u     IPv4 0x36f2701d4603b3ff      0t0                 TCP 192.168.123.50:ssh->my-macbook.lan:54074 (ESTABLISHED)
      sshd      364               test    6r      REG                1,4       77         12884925090 /private/etc/security/audit_user
      sshd      364               test    7u     unix 0x36f27013aca8ddf7      0t0                     ->(none)
      sshd      364               test    8r      REG                1,4      652         12884925088 /private/etc/security/audit_class
      sshd      364               test    9r      REG                1,4      358         12884925091 /private/etc/security/audit_control
      sshd      364               test   10r      REG                1,4    26649         12884925086 /private/etc/security/audit_event
      sshd      364               test   11u     unix 0x36f27013aca8cb37      0t0                     ->0x36f27013aca8df87
      sshd      364               test   12      PIPE 0x7835e4b2ddadd27c    16384                     ->0x9495aeb441222011
      sshd      364               test   13      PIPE 0x9495aeb441222011    16384                     ->0x7835e4b2ddadd27c
      sshd      364               test   14u      CHR               15,1   0t4159                 583 /dev/ptmx
      sshd      364               test   16u      CHR               15,1   0t4159                 583 /dev/ptmx
      sshd      364               test   17u      CHR               15,1   0t4159                 583 /dev/ptmx
    

• LANG is always set on a desktop environments so malware shouldn't be loaded. Even if you aren't logged in (loginscreen after boot).
  • Tested via Parallels Desktop on new install - just activate ssh:
  • expand

      $ ssh test@192.168.123.50
      The authenticity of host '192.168.123.50 (192.168.123.50)' can't be established.
      ED25519 key fingerprint is SHA256:+qZeXgs/s/9z24xQGzc30kR21Irg7aqPqVxW5DSCsw0.
      This key is not known by any other names
      Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
      Warning: Permanently added '192.168.123.50' (ED25519) to the list of known hosts.
      (test@192.168.123.50) Password:
      Last login: Wed Apr 17 13:42:50 2024
      test@Mac-of-test ~ % env | grep LANG
      LANG=en_US.UTF-8
    

So we should be 99,9% save even if we installed the vulnerable version of 5.6.0 to 5.6.1. Reverting to an earlier version is still advisable.
That will let me hopefully sleep better than I did in the last time.