2 months ago Sun, Mar 31, 2024

How to Check and Upgrade XZ on Mac OS

As you probably already know, a backdoor has been found in XZ Utils, a compression tool that is used for lossless compression in command line utilities. If you're looking to understand more about this vulnerability, you can find an excellent explanation on Reddit.

If you're a Mac OS and Homebrew user, there is a good chance that you have the version of XZ that everyone has been talking about installed on your machine. This article is about how to find out for sure and what to do about.

#Which versions are affected

Before we begin, its useful to know that versions 5.6.0 and 5.6.1 are known to contain the vulnerability. There is also a chance that previous versions might have similar issues. Homebrew maintainers have said that they

don't believe Homebrew's builds were compromised (the backdoor only applied to deb and rpm builds) but 5.6.x is being treated as no longer trustworthy and as a precaution we are forcing downgrades to 5.4.6.

#How to check if XZ is installed

You can run which to see if you have XZ installed at all:

which xz

Check whether you have XZ installed

#The right way to see which version is installed

Use the following command to check which version of XZ you are running on your machine.

brew list xz

The right way to check which version of XZ you have installed

Please, don't use xz -V as it has been rightly pointed out that this would make use of the potentially vulnerable software itself.

#The wrong way to see which version is installed

Don't use this method.

The wrong way to check the XZ version currently installed on your system is to use the following command:

xz -V

The wrong way to check which XZ version you have installed

As you can see, the version 5.6.1 installed on my machine is in fact one of the versions no longer considered trustworthy.

@jbroome correctly pointed out that there is a safer way to check the installed version without using the potentially vulnerable software to do so:

Please use brew info to check the version of xz. Actually running the potentially back-door'd software to check the version seems like a bad idea.

#How to remove the affected XZ version using Homebrew

Run the following command to upgrade all your Homebrew packages and formulas:

brew upgrade

Since, Homebrew is forcing downgrades to 5.4.6., the affected versions will be removed and replaced with version 5.4.6.

You can now run xz -V again to ensure that XZ has been downgraded.

Checking that your XZ version has been downgraded

#Keeping Homebrew Up To Date

In general, its always good to keep all your software up to date, so that you can benefit from security patches as they become available.

Remember to update Homebrew itself using:

brew update

and run

brew upgrade

to to keep all your packages and formulas up to date.

From time to time you can also use

brew cleanup

to remove stale lock files, outdated downloads for all formulae and casks, and remove old versions of installed formulae.

#An alias command to run all your updates at once

Add the following alias to your shell rc to perform all your updates at once:

# Get OS X Software Updates, and update installed Ruby gems, Homebrew, npm, and their installed packages
alias update='sudo softwareupdate -i -a; brew update; brew upgrade --all; brew cleanup; npm install npm -g; npm update -g; sudo gem update'

Thank you for reading this article.

If you've made it this far, you might like to connect with me on 𝕏 where I post similar content and interact with like-minded people. If this article was helpful to you I'd really appreciate it if you would consider buying me a coffee.