Is xz on brew on Ubuntu vulnerable?

Question

I had brew on Ubuntu as I installed a tool that's not available on apt. Then today I realized that xz --version returns 5.6.1 which is the version related to CVE-2024-3094, and when I ran which xz I realized the one in /home/linuxbrew/.linuxbrew/bin had already taken over the default on in Ubuntu. It turns out xz is a dependency of many packages so it was installed without explicit user knowledge. After running brew update && brew upgrade xz was forced downgraded to 5.4.6 as expected

I know the default xz in apt repository isn't vulnerable, but I'm specifically want to know about brew's xz. As mentioned here xz brew on macOS isn't affected. But is xz brew on Ubuntu affected? Does brew on Ubuntu use the original source, the deb package, or the compiled binary?

Answer 1

Looking at the formula for xz 5.6.1, you can see:

  url "https://github.com/tukaani-project/xz/releases/download/v5.6.1/xz-5.6.1.tar.gz"
  mirror "https://downloads.sourceforge.net/project/lzmautils/xz-5.6.1.tar.gz"
  mirror "https://archive.org/download/xz-5.6.1.tar.gz/xz-5.6.1.tar.gz"
  mirror "http://archive.org/download/xz-5.6.1.tar.gz/xz-5.6.1.tar.gz"
  sha256 "2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8"

And:

  def install
    system "./configure", *std_configure_args, "--disable-silent-rules", "--disable-nls"
    system "make", "check"
    system "make", "install"
  end

It is built from source, so likely unaffected by the known compromise (which targetted builds part of packaging processes).