xFelix
xFelix
Fix XQuartz Sparkle vulnerability

For macOS users, XQuartz is a must have supporting app to run Windows application on macOS. However, XQuartz the latest version is 2.7.11 which hasn’t been updated since 2016-10-29. This leaves some security vulnerabilities haven’t been addressed properly. Sparkle is one of them.

Sparkle is an easy-to-use software update framework for macOS applications. It is also shipped together with XQuartz. The builtin Sparkle updater version in XQuartz 2.7.11 is 1.6.1. According to https://sparkle-project.org/documentation/security/ it is vulnerable to MITM attack.

As XQuartz seems no longer deliver update, I have to figure out how to fix this security issue by myself.

Here’s what to do.

  1. Go to Sparkle Github site (https://github.com/sparkle-project/Sparkle/releases) to download latest release, eg 1.23.0.
  2. Unpack Sparkle framework (Sparkle.framework folder)
  3. Copy new Sparkle.framework folder and replace /Applications/Utilities/XQuartz.app/Contents/Frameworks/Sparkle.framework
  4. Also copy new /Sparkle.framework/Versions/A/Resources/Autoupdate to replace /Applications/Utilities/XQuartz.app/Contents/Frameworks/Autoupdate

Done. The Sparkle updater within XQuartz should have been update3d to 1.23.0 latest version.

 

Written by Felix. Licensed under CC BY-NC-SA 3.0 Unported.

Leave a Reply

textsms
account_circle
email

xFelix

Fix XQuartz Sparkle vulnerability
For macOS users, XQuartz is a must have supporting app to run Windows application on macOS. However, XQuartz the latest version is 2.7.11 which hasn't been updated since 2016…
Scan QR code to continue reading
2020-04-06