Security: Building Joplin on MacOS? Check for `xz` 5.6.x on your system

Note: This advisory does not affect any Joplin application. This issue affects developers that are building Joplin from source on MacOS.

A backdoor in the xz package targets Linux systems and includes a check that should prevent it from running on MacOS. Even so, avoid the affected versions of xz.

See also: cisa.gov's page on the issue, the relevant Openwall blog post, the Socket.dev page for the issue, and this comment by a Homebrew maintainer.

The issue

Joplin's build instructions suggest users install homebrew, then use it to install cocoapods, and optionally libvips. While cocoapods doesn't seem to depend on xz, libvips does.

Specifically, libvips depends on python@3.12, imagemagic, and other dependencies that depend on xz[1].

To check the installed version of xz, in a terminal, run

brew list --versions xz

or, alternatively,

xz --version

If the output includes 5.6.0 or 5.6.1, consider downgrading to an earlier version.

Downgrading xz

This can be done by running in a terminal:

zsh% brew upgrade
zsh% brew cleanup xz --prune=0

Note that --prune=0 removes all cached files older than 0 days (see brew cleanup --help for additional details).


  1. To see the full dependency tree, run brew deps --tree libvips. ↩ī¸Ž

5 Likes