As you probably already know, a backdoor has been found in XZ Utils, a compression tool that is used for lossless compression in command line utilities. If you're looking to understand more about this vulnerability, you can find an excellent explanation on Reddit.
If you're a Mac OS and Homebrew user, there is a good chance that you have the version of XZ that everyone has been talking about installed on your machine. This article is about how to find out for sure and what to do about.
#Which versions are affected
Before we begin, its useful to know that versions 5.6.0 and 5.6.1 are known to contain the vulnerability. There is also a chance that previous versions might have similar issues. Homebrew maintainers have said that they
don't believe Homebrew's builds were compromised (the backdoor only applied to deb and rpm builds) but 5.6.x is being treated as no longer trustworthy and as a precaution we are forcing downgrades to 5.4.6.
#How to check if XZ is installed
You can run which to see if you have XZ installed at all:
which xz
#The right way to see which version is installed
Use the following command to check which version of XZ you are running on your machine.
brew list xz
Please, don't use xz -V as it has been rightly pointed out that this would make use of the potentially vulnerable software itself.
#The wrong way to see which version is installed
Don't use this method.
The wrong way to check the XZ version currently installed on your system is to use the following command:
xz -V
As you can see, the version 5.6.1 installed on my machine is in fact one of the versions no longer considered trustworthy.
@jbroome correctly pointed out that there is a safer way to check the installed version without using the potentially vulnerable software to do so:
Please use brew info to check the version of xz. Actually running the potentially back-door'd software to check the version seems like a bad idea.
#How to remove the affected XZ version using Homebrew
Run the following command to upgrade all your Homebrew packages and formulas:
brew upgrade
Since, Homebrew is forcing downgrades to 5.4.6., the affected versions will be removed and replaced with version 5.4.6.
You can now run xz -V again to ensure that XZ has been downgraded.
#Keeping Homebrew Up To Date
In general, its always good to keep all your software up to date, so that you can benefit from security patches as they become available.
Remember to update Homebrew itself using:
brew update
and run
brew upgrade
to to keep all your packages and formulas up to date.
From time to time you can also use
brew cleanup
to remove stale lock files, outdated downloads for all formulae and casks, and remove old versions of installed formulae.
#An alias command to run all your updates at once
Add the following alias to your shell rc to perform all your updates at once:
# Get OS X Software Updates, and update installed Ruby gems, Homebrew, npm, and their installed packages
alias update='sudo softwareupdate -i -a; brew update; brew upgrade --all; brew cleanup; npm install npm -g; npm update -g; sudo gem update'