| 24 Jan 2025 |
 emily | IMO just drop SDL1 from there in general, highly doubt anything we package as an appimage needs it. (continue in the security discussions room?) | 11:56:42 |
 tgerbet | Debian tracker lists the commit introducing the issue https://security-tracker.debian.org/tracker/CVE-2022-27470
Might want to check if it really impacts SDL1, I'm on mobile it is annoying to do
(But yeah dropping old stuff like that is needed) | 12:04:33 |
| emily | I think the answer to "is a 90s-vintage TTF-handling library from a previous deprecated major version vulnerable to malicious TTF files" is "yes", no code diving required | 12:06:08 |
| emily | thankfully in most usecases that's going to be a wrong-side-of-the-airtight-hatchway thing; games generally don't let your network opponent supply their own font | 12:06:23 |
| emily | but it's still not great | 12:08:02 |
| emily | (oops, this is triage room again) | 12:08:02 |
