For macOS users, XQuartz is a must have supporting app to run Windows application on macOS. However, XQuartz the latest version is 2.7.11 which hasn’t been updated since 2016-10-29. This leaves some security vulnerabilities haven’t been addressed properly. Sparkle is one of them.
Sparkle is an easy-to-use software update framework for macOS applications. It is also shipped together with XQuartz. The builtin Sparkle updater version in XQuartz 2.7.11 is 1.6.1. According to https://sparkle-project.org/documentation/security/ it is vulnerable to MITM attack.
As XQuartz seems no longer deliver update, I have to figure out how to fix this security issue by myself.
Here’s what to do.
- Go to Sparkle Github site (https://github.com/sparkle-project/Sparkle/releases) to download latest release, eg 1.23.0.
- Unpack Sparkle framework (Sparkle.framework folder)
- Copy new Sparkle.framework folder and replace /Applications/Utilities/XQuartz.app/Contents/Frameworks/Sparkle.framework
- Also copy new /Sparkle.framework/Versions/A/Resources/Autoupdate to replace /Applications/Utilities/XQuartz.app/Contents/Frameworks/Autoupdate
Done. The Sparkle updater within XQuartz should have been update3d to 1.23.0 latest version.