Bug#1121667: steam-libs:i386 missing deps and also upstream client links to obsolete libvpx6

[Ximin Luo]

Simon McVittie:
> Control: retitle -1 steam-installer: upstream code doesn't work when incorrectly made setgid
> Control: tags -1 = upstream
> Control: severity -1 wishlist
> 
> On Thu, 04 Dec 2025 at 00:00:51 +0000, Ximin Luo wrote:
>> After some playing around I realised the error occured because I did a
>> `sudo chmod -R g+s` on `/opt/steam` recently, which mistakenly applied
>> this to *files* as well as directories.
> 
> This is not a supportable configuration, and I am not surprised that it doesn't work. General-purpose code is not designed to be given higher privileges than its parent process, and depending how that has been handled, it will either be silently insecure by accepting environment variables from its less-privileged caller ("fail open", the default if no code has been written to handle it), or detect the situation and refuse to operate ("fail closed").
> 
> Most programs would fail open in this situation, but some of the programs used internally by the Steam Runtime have been written more cautiously and fail closed.
> 
>> TBH this is still an upstream bug, it should not be segfaulting on incorrect permissions
> 
> This is a bug in the handling of assertion failures when an insecure configuration has been detected. It is unlikely to reach the top of anyone's priority queue this decade, but you never know.
> 

We observe the issue here in an insecure configuration, but have no idea how it might behave in other (e.g. secure) configurations, and therefore whether it's high or low priority. At least, as a user I have no idea. So I've reported it upstream anyway, they can decide.

https://github.com/ValveSoftware/steam-runtime/issues/787

Best,
Ximin

-- 
GPG: ed25519/56034877E1F87C35
https://github.com/infinity0/pubkeys.git