XZ and You

Owned by Ed Bobak
Apr 03, 2024
1 min read

The xz (really, liblzma) attack was never possible on macOS.

  • The backdoor requires glibc, but Apple ships its own libc

  • The backdoor depended on systemd to load sshd - the actual injection mechanism attacked systemd which, for reasons links to liblzma. macOS doesn't include systemd at all; and

  • The backdoor code was only injected during build if make was run on (a) Linux and (b) when creating a dpkg or an rpm.

All that said, we are brute-force deleting xz 5.6.0 and 5.6.1 from the common Homebrew paths - /opt/homebrew/Cellar/xz/5.6.0/usr/local/Cellar/xz/5.6.0 - on all systems anyway. If someone installed brew in some other path, like their home directory, we are not going to seek it out and delete it.

Russ Cox (co-creator of Go, among other things) has a serious in-depth explanation: 

https://research.swtch.com/xz-script