Is xz on brew on Ubuntu vulnerable?

Question

I had brew on Ubuntu as I installed a tool that's not available on apt. Then today I realized that xz --version returns 5.6.1 which is the version related to CVE-2024-3094, and when I ran which xz I realized the one in /home/linuxbrew/.linuxbrew/bin had already taken over the default on in Ubuntu. It turns out xz is a dependency of many packages so it was installed without explicit user knowledge. After running brew update && brew upgrade xz was forced downgraded to 5.4.6 as expected

I know the default xz in apt repository isn't vulnerable, but I'm specifically want to know about brew's xz. As mentioned here xz brew on macOS isn't affected. But is xz brew on Ubuntu affected? Does brew on Ubuntu use the original source, the deb package, or the compiled binary?

Does this answer your question? How can I tell if a CVE has been fixed in Ubuntu's repositories? — Artur Meinild, Jun 06 '24 at 05:52
@ArturMeinild no, as I already mentioned specifically about brew, which has nothing to do with Ubuntu's repositories — phuclv, Jun 06 '24 at 08:01
For those curious readers, and future passers-by, see: MS-ISAC ADVISORY NUMBER: 2024-033 — eyoung100, Jun 06 '24 at 22:28
There's a detect.sh script in the original announcement for the exploit which can probably tell you if your library is infected. — Gallifreyan, Jun 07 '24 at 03:59

score 13 · Answer 1 · answered Jun 06 '24 at 07:43

13

Looking at the formula for xz 5.6.1, you can see:

  url "https://github.com/tukaani-project/xz/releases/download/v5.6.1/xz-5.6.1.tar.gz"
  mirror "https://downloads.sourceforge.net/project/lzmautils/xz-5.6.1.tar.gz"
  mirror "https://archive.org/download/xz-5.6.1.tar.gz/xz-5.6.1.tar.gz"
  mirror "http://archive.org/download/xz-5.6.1.tar.gz/xz-5.6.1.tar.gz"
  sha256 "2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8"

And:

  def install
    system "./configure", *std_configure_args, "--disable-silent-rules", "--disable-nls"
    system "make", "check"
    system "make", "install"
  end

It is built from source, so likely unaffected by the known compromise (which targetted builds part of packaging processes).

answered Jun 06 '24 at 07:43

muru

207,970

But the exploit is present in the source and triggered by the build, isn't it? It specifically checks if it's being built for a DEB- or RPM-based system, and only then injects the malicious code. It'd actually be better if they build from git directly, because the repos on github and tukaani have been purged of the exploit, and I don't know if they did the same for those archives. – Gallifreyan Jun 07 '24 at 03:57
@Gallifreyan oh brew actually went one better - they rolled back all the way to 5.4.6, the last before the attacker made any commits. The one the OP is asking about and I'm describing here is the version from before the rollback. – muru Jun 07 '24 at 04:30

Is xz on brew on Ubuntu vulnerable?

1 Answers1

Linked