Confirmation of package safty regarding to recent xz vulnerability

[erisu]

Can you confirm the safety of the package following the recent vulnerability involving the xz backdoor (liblzma, xz, or libarchive)?

Last week, I opened a ticket on electron-builder (electron-userland/electron-builder#8161) asking about the recent xz security concern. It was suggested that I create a ticket here as well for further investigation.

Upon reviewing the source code of the repository, I noticed several instances where the compression flags are set to XZ. Additionally, it appears that the project generates and bundles app-builder binaries into a package deployed to the npmjs registry.

Based on my understanding, these binaries does not contain liblzma, xz, or libarchive binaries. Instead, I assume they utilize the XZ version installed on the user's system.

If my assumption is correct, then I believe the package is safe and that it is up to the users to ensure that their systems do not contain compromised installed versions.

I would greatly appreciate it if you could confirm my understanding, address any concerns, and provide any additional necessary information.

[Nantris]

Friendly bump. Although it seems unlikely this package is affected for the reasons above, a statement from the development team would be most welcome.

[mmaietta]

@develar can you please provide more insight here?

[mmaietta]

So I made a quick search of the codebase and there's no mentions of liblzma and libarchive, and only a few areas where xz compression is leveraged.

Based on my familiarity with the build system and the lack of mentions of xz, liblzma, and libarchive in the codebase/repo files, I think we can conclude that the binaries utilized are from the user's system and that there's no vulnerabilities in this package itself.

@develar could still officially confirm though