[scummvm-devel] The xz debacle

Lars Skovlund lskovlun at sprogklog.dk
Mon Apr 1 20:20:33 UTC 2024


Hi all

When the ball rolled this weekend, I checked my local scummvm build to see
if it pulled the bad library in, and indeed it does! The likely dependency
chain is something like

	Scummvm -> SDL -> PulseAudio -> systemd -> lzma

Now, the actual payload checks whether argv[0] is sshd, but this might've
changed in the future, e.g. giving access to people's could storage.

Close call. Should we do anything in response?

/Lars


More information about the scummvm-devel mailing list