Homebrew Security – Steps to Take After xz Security Issue


Ars Technica's March 30, 2024 Backdoor found in widely used Linux utility breaks encrypted SSH connections includes the following:

Several people, including two Ars readers, reported that the multiple apps included in the HomeBrew package manager for macOS rely on the backdoored 5.6.1 version of xz Utils. HomeBrew has now rolled back the utility to version 5.4.6. Maintainers have more details available here.

At the link in the block quote (titled "brew install xz installs the outdated version 5.4.6 instead of 5.6.1 #5243") there is talk about brew cleanup xz --prune=0, but I don't really understand the implications of everything there.

I may need to use brew to install a specific numerical Python package in about a week. Should I wait a few days for the dust to settle, or should I find a way to "clean up" or to uninstall and then reinstall Homebrew?

Best Answer

TL,DR: just run brew upgrade.

“Just upgrade” is almost always the right answer when a security vulnerability is announced. Distribution maintainers are often notified of vulnerabilities in advance, and even when they aren't, they usually react quicker than end-users. By the time you read a press article about a vulnerability, it's usually been patched by all mainstream distributions. And if it isn't, it's usually because the patching is difficult and you probably won't manage it on your own quicker than the distribution.

As an end-user of software, you typically only need to react to a vulnerability if you installed it manually through a channel that doesn't do updates. This is one of the reasons you should install software via an app store or package manager if possible.

Needing special commands was an emergency measure while the Homebrew maintainers reacted to the vulnerability announcement. Homebrew is very reactive and all you need to do now is upgrade normally. As I write this, brew upgrade xz downgrades xz from 5.6.1 to 5.4.6.

At this time, no vulnerability is known in xz 5.6.1 as distributed by Homebrew (the known vulnerability was only inserted during some builds), but the Homebrew maintainers have rolled back xz in case there was another, better hidden vulnerability.