[scummvm-devel] The xz debacle
Lothar Serra Mari
lothar.serramari at scummvm.org
Tue Apr 2 16:53:34 UTC 2024
Hi there,
> When the ball rolled this weekend, I checked my local scummvm build to see
> if it pulled the bad library in, and indeed it does! The likely dependency
> chain is something like
>
> Scummvm -> SDL -> PulseAudio -> systemd -> lzma
>
> Now, the actual payload checks whether argv[0] is sshd, but this might've
> changed in the future, e.g. giving access to people's could storage.
>
> Close call. Should we do anything in response?
At this point, there is nothing we can do to mitigate this.
In the case you described, it is up to the distribution itself to decide
if they want to link systemd against lzma/xz-utils.
Futhermore, even removing SDL wouldn't be sufficient. We somehow want to
have sound output, so we _have_ to use PulseAudio on distributions that
use this, which completes the dependency graph again.
Any kind of mitigation needs to be done on the distribution level, this
is outside the scope of our project.
--
Lothar Serra Mari
ScummVM Co-Lead
More information about the scummvm-devel
mailing list