Note: This advisory does not affect any Joplin application. This issue affects developers that are building Joplin from source on MacOS.
A backdoor in the xz package targets Linux systems and includes a check that should prevent it from running on MacOS. Even so, avoid the affected versions of xz.
See also: cisa.gov's page on the issue, the relevant Openwall blog post, the Socket.dev page for the issue, and this comment by a Homebrew maintainer.
The issue
Joplin's build instructions suggest users install homebrew, then use it to install cocoapods, and optionally libvips. While cocoapods doesn't seem to depend on xz, libvips does.
Specifically, libvips depends on python@3.12, imagemagic, and other dependencies that depend on xz[1].
To check the installed version of xz, in a terminal, run
brew list --versions xz
or, alternatively,
xz --version
If the output includes 5.6.0 or 5.6.1, consider downgrading to an earlier version.
Downgrading xz
This can be done by running in a terminal:
zsh% brew upgrade
zsh% brew cleanup xz --prune=0
Note that --prune=0 removes all cached files older than 0 days (see brew cleanup --help for additional details).
To see the full dependency tree, run
brew deps --tree libvips. âŠī¸