[scummvm-devel] The xz debacle

[Lars Skovlund]

Hi all

When the ball rolled this weekend, I checked my local scummvm build to see
if it pulled the bad library in, and indeed it does! The likely dependency
chain is something like

	Scummvm -> SDL -> PulseAudio -> systemd -> lzma

Now, the actual payload checks whether argv[0] is sshd, but this might've
changed in the future, e.g. giving access to people's could storage.

Close call. Should we do anything in response?

/Lars