xz 5.6.1 vulnerability; downgrade to 5.4.6

[Ryan Schmidt]

Today a security issue was disclosed [1] in the xz package, which contains the xz program (used for example by MacPorts to decompress xz-compressed source code archives) and the liblzma library (used by many other programs). Versions 5.6.0 and 5.6.1 (to which the MacPorts port was updated a couple days ago) are affected. Josh downgraded the port to 5.4.6 which we believe is not affected, but as we learn more over the coming days we may downgrade even further. Please use the normal MacPorts commands to receive this update and do not be surprised that you are being "upgraded" to an older version of xz:

sudo port selfupdate
sudo port upgrade outdated

I've spent some time reading the various discussions about this incident and this was not a typical security issue caused by buggy code. Instead, malicious code was deliberately added to the xz project in small pieces over a period of months or years, culminating in the release of xz 5.6.0 containing an exploit targeting x86_64 Debian Linux users by injecting code into sshd processes. xz 5.6.1 "improved" the code by making the exploit harder to detect. This particular exploit does not affect macOS but we don't yet know if there are other yet-undiscovered vulnerabilities that could affect macOS. 

What seems to have happened is: Two years ago, the developer of xz found his time for continuing to develop xz to be limited [2] and he was pressured on the xz mailing list to add a second official developer. That second developer was later promoted to release manager. The GitHub account of that second developer committed the malicious code. It is not yet clear whether the GitHub accounts of one or both of the developers were taken over by malicious actors, or whether one or both of the developers have been malicious actors all along. At this time, GitHub has suspended the accounts of both of xz's developers and disabled their GitHub organization's repositories so it's not yet clear if or when or how they will respond to this.

Undoubtedly security researchers will be scrutinizing every commit made to the xz project over the past two years and we'll take further action (further downgrades or patches) as needed. As always, although I'm listed as the maintainer of the MacPorts xz port, anybody may commit changes that resolve security issues without waiting for the maintainer's approval.

Thank you to Frank Dean for bring this issue to our attention on the macports-dev mailing list and to Josh for downgrading the port so quickly.


[1] https://www.openwall.com/lists/oss-security/2024/03/29/4
[2] https://www.mail-archive.com/xz-devel@tukaani.org/msg00563.html