Bug#1121667: steam-libs:i386 missing deps and also upstream client links to obsolete libvpx6
Simon McVittie
smcv at debian.org
Thu Dec 4 09:33:03 GMT 2025
Control: retitle -1 steam-installer: upstream code doesn't work when incorrectly made setgid
Control: tags -1 = upstream
Control: severity -1 wishlist
On Thu, 04 Dec 2025 at 00:00:51 +0000, Ximin Luo wrote:
>After some playing around I realised the error occured because I did a
>`sudo chmod -R g+s` on `/opt/steam` recently, which mistakenly applied
>this to *files* as well as directories.
This is not a supportable configuration, and I am not surprised that it
doesn't work. General-purpose code is not designed to be given higher
privileges than its parent process, and depending how that has been
handled, it will either be silently insecure by accepting environment
variables from its less-privileged caller ("fail open", the default if
no code has been written to handle it), or detect the situation and
refuse to operate ("fail closed").
Most programs would fail open in this situation, but some of the
programs used internally by the Steam Runtime have been written more
cautiously and fail closed.
>TBH this is still an upstream bug, it should not be segfaulting on incorrect permissions
This is a bug in the handling of assertion failures when an insecure
configuration has been detected. It is unlikely to reach the top of
anyone's priority queue this decade, but you never know.
smcv
More information about the Pkg-games-devel
mailing list