[scummvm-devel] The xz debacle
Lars Skovlund
lskovlun at sprogklog.dk
Mon Apr 1 20:20:33 UTC 2024
Hi all
When the ball rolled this weekend, I checked my local scummvm build to see
if it pulled the bad library in, and indeed it does! The likely dependency
chain is something like
Scummvm -> SDL -> PulseAudio -> systemd -> lzma
Now, the actual payload checks whether argv[0] is sshd, but this might've
changed in the future, e.g. giving access to people's could storage.
Close call. Should we do anything in response?
/Lars
More information about the scummvm-devel
mailing list