The current script simply uses kandji to run local homebrew to upgrade xz if it's vulnerable.
This is very useful if kandji was not used to provision homebrew and was installed by the user.
The way it works is
sudo su to switch to the user to run homebrew| #!/bin/zsh | |
| processor_brand="$(/usr/sbin/sysctl -n machdep.cpu.brand_string)" | |
| set_brew_prefix() { | |
| # Set the homebrew prefix. | |
| # Set the brew prefix to either the Apple Silicon location or the Intel location based on the | |
| # processor_brand information | |
| # | |
| # $1: proccessor brand information | |
| local brew_prefix | |
| if [[ $1 == *"Apple"* ]]; then | |
| # set brew prefix for apple silicon | |
| brew_prefix="/opt/homebrew" | |
| else | |
| # set brew prefix for Intel | |
| brew_prefix="/usr/local" | |
| fi | |
| # return the brew_prefix | |
| /bin/echo "$brew_prefix" | |
| } | |
| brew_prefix=$(set_brew_prefix "$processor_brand") | |
| echo "$brew_prefix" | |
| if ! command -v "$brew_prefix/bin/xz" &> /dev/null | |
| then | |
| echo "xz could not be found" | |
| exit 0 | |
| fi | |
| xz_check=$("$brew_prefix/bin/xz" --version | /usr/bin/grep '5.6' | head -1 | /usr/bin/grep -E '5.6.0|5.6.1' | wc -l) | |
| if [ "$xz_check" -eq 0 ]; then | |
| echo "xz is NOT vulnerable" | |
| exit 0 | |
| else | |
| echo "xz is vulnerable: $("$prefix/bin/xz" --version)" | |
| fi | |
| user_to_assume=$(ls -la "$brew_prefix/bin/brew" | /usr/bin/awk '{ print $3 }') | |
| sudo su "$user_to_assume" -c "$brew_prefix/bin/brew update" | |
| sudo su "$user_to_assume" -c "$brew_prefix/bin/brew upgrade xz" | |
| xz_version=$("$brew_prefix/bin/xz" --version) | |
| xz_check=$(echo "$xz_version" | /usr/bin/grep '5.6' | head -1 | /usr/bin/grep -E '5.6.0|5.6.1' | wc -l) | |
| if [ "$xz_check" -eq 0 ]; then | |
| echo "xz is now RESOLVED: $xz_version" | |
| exit 0 | |
| else | |
| echo "xz is STILL vulnerable: $xz_version" | |
| exit 1 | |
| fi |