XZ Utils in Valutwarden? ( aka liblzma-sys lib for Rust)

[Di3s3l]

Hello,
everyone, I don't know this is the most suitable place, but I'll try to raise a question that worries me anyway.
That is, could be relevant the "XZ Utils backdoor" in vaultwarden code?

That's becouse some rust library (like Portable-Network-Archive/liblzma-rs#106 ) use the compromised code version.

Thanks in advance to anyone who can answer me in any way

[BlackDex]

Vaultwarden does not use that crate.
You can verify this in multiple ways

1. By looking at https://github.com/dani-garcia/vaultwarden/blob/e1a8df96dbadfbf5ad36ce9aa2f31f34396166c2/Cargo.lock
2. By checking https://deps.rs/repo/github/dani-garcia/vaultwarden
3. By cloning the code, install https://crates.io/crates/cargo-tree and run cargo tree --all-features

[Di3s3l]

Thanks.
The 2nd link is very useful for future use :)

[RealOrangeOne]

The XZ utils backdoor was only exploitable in very specific cases, notably when loaded into openssh on a system which used systemd. If building XZ from source (downloaded from GitHub), the code wasn't vulnerable, it was only the distributed source tars which were.

And, with all of that said, it doesn't look like Vaultwarden depends on liblzma anyway (it's not mentioned in the Cargo.lock).

[Di3s3l]

Thanks 👍