Today a security issue was disclosed [1] in the xz package, which contains the
xz program (used for example by MacPorts to decompress xz-compressed source
code archives) and the liblzma library (used by many other programs). Versions
5.6.0 and 5.6.1 (to which the MacPorts port was updated a couple days ago) are
affected. Josh downgraded the port to 5.4.6 which we believe is not affected,
but as we learn more over the coming days we may downgrade even further. Please
use the normal MacPorts commands to receive this update and do not be surprised
that you are being "upgraded" to an older version of xz:
sudo port selfupdate
sudo port upgrade outdated
I've spent some time reading the various discussions about this incident and
this was not a typical security issue caused by buggy code. Instead, malicious
code was deliberately added to the xz project in small pieces over a period of
months or years, culminating in the release of xz 5.6.0 containing an exploit
targeting x86_64 Debian Linux users by injecting code into sshd processes. xz
5.6.1 "improved" the code by making the exploit harder to detect. This
particular exploit does not affect macOS but we don't yet know if there are
other yet-undiscovered vulnerabilities that could affect macOS.
What seems to have happened is: Two years ago, the developer of xz found his
time for continuing to develop xz to be limited [2] and he was pressured on the
xz mailing list to add a second official developer. That second developer was
later promoted to release manager. The GitHub account of that second developer
committed the malicious code. It is not yet clear whether the GitHub accounts
of one or both of the developers were taken over by malicious actors, or
whether one or both of the developers have been malicious actors all along. At
this time, GitHub has suspended the accounts of both of xz's developers and
disabled their GitHub organization's repositories so it's not yet clear if or
when or how they will respond to this.
Undoubtedly security researchers will be scrutinizing every commit made to the
xz project over the past two years and we'll take further action (further
downgrades or patches) as needed. As always, although I'm listed as the
maintainer of the MacPorts xz port, anybody may commit changes that resolve
security issues without waiting for the maintainer's approval.
Thank you to Frank Dean for bring this issue to our attention on the
macports-dev mailing list and to Josh for downgrading the port so quickly.
[1] https://www.openwall.com/lists/oss-security/2024/03/29/4
[2] https://www.mail-archive.com/xz-devel@tukaani.org/msg00563.html