[scummvm-devel] The xz debacle

Lothar Serra Mari lothar.serramari at scummvm.org
Tue Apr 2 16:53:34 UTC 2024


Hi there,

> When the ball rolled this weekend, I checked my local scummvm build to see
> if it pulled the bad library in, and indeed it does! The likely dependency
> chain is something like
> 
> 	Scummvm -> SDL -> PulseAudio -> systemd -> lzma
> 
> Now, the actual payload checks whether argv[0] is sshd, but this might've
> changed in the future, e.g. giving access to people's could storage.
> 
> Close call. Should we do anything in response?

At this point, there is nothing we can do to mitigate this.

In the case you described, it is up to the distribution itself to decide 
if they want to link systemd against lzma/xz-utils.

Futhermore, even removing SDL wouldn't be sufficient. We somehow want to 
have sound output, so we _have_ to use PulseAudio on distributions that 
use this, which completes the dependency graph again.

Any kind of mitigation needs to be done on the distribution level, this 
is outside the scope of our project.

-- 
Lothar Serra Mari
ScummVM Co-Lead


More information about the scummvm-devel mailing list