[SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Chat about Linux in general
carum carvi
Level 5
Level 5
Posts: 973
Joined: Sun Apr 16, 2017 11:44 pm

[SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by carum carvi » Fri Aug 02, 2019 9:45 pm

The new and shiny STABLE version of LM19.2 has just been released. With it come the latest security updates. Great! I love the new LM 19.2 release. It works flawlessly. No errors.

BUT...

Just for fun I decided to install LM18.3 as well in a dual boot installation, because it has such a good rep of being a stable version without any bugs. But the real reason I installed LM18.3 was because my girlfriend with older hardware still uses it. I thought I could probably be of better help if I had the same OS.

What I quickly realised though was the simple and terrifying FACT that the Vlc Mediaplayer in LM18.3 was NOT updated. It was still at version 2.2, while the LM19.1 and LM19.2 version of Vlc Mediaplayer was at version 3.0.7.1

Why does this matter VERY MUCH?!
Because recently Vlc Mediaplayer has got a CRITICAl security bug. ANYONE still using LM18.3 is a sitting duck. Waiting to be hit by a critical security bug. Fortunately this security bug in Vlc has not been reproduced by the Vlc team. Still it is a tell tale sign...

My point is, that 3rd party Vlc software, (used by MILLIONS), is inherently vulnerable in older LinuxMint versions, like LM18.3.

I write this post to raise consciousness about this vulnerability in older LinuxMint 3rd party software, which does NOT get the security upgrades. My guess is that many newbies have no clue that they are using severely UNsecure 3rd party software.

Should there not be a warning attached to 3rd party software in older LinuxMint software?
Last edited by carum carvi on Sun Aug 04, 2019 3:43 am, edited 6 times in total.

User avatar
phd21
Level 19
Level 19
Posts: 9185
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: Seriously, who would advise anyone to use LM18.3 when it's third party sofware is DANGEROUSLY outdated?

Post by phd21 » Fri Aug 02, 2019 10:38 pm

Hi "carum carvi",

Although I really like VLC, there are other multimedia players like the excellent SMplayer that was not affected by "security bug" in VLC.

FYI: Anyone can install a newer version of VLC like v3.xx in Linux Mint 18.3 using their AppImage or Snap packages and 19.x users by using their VLC Master Daily PPA for VLC v4.xx.

Tip Regarding Linux Mint 18.x: Delete the desktop and or menu shortcuts for the installed VLC v2.xx before installing the AppImage or Snap versions which will create other VLC launchers; caution: removing this version VLC v2.xx from the Software Manager or Synaptic Package Manager (SPM) may remove a lot of other stuff, deleting the menu or desktop shortcut launchers so that a user cannot run it is enough.

vlc-3-appimage for Linux Mint 18.x users
https://dl.bintray.com/probono/AppImage ... 4.AppImage

Install VLC for Linux using the Snap Store | Snapcraft
https://snapcraft.io/vlc

Linux Mint 19.x users VLC v4.xx
VLC PPA - Daily Build of master branch : “Videolan” team
https://launchpad.net/~videolan/+archiv ... ster-daily


Hope this helps ...
Phd21: Mint KDE 18.3 & 19, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

User avatar
MrEen
Level 13
Level 13
Posts: 4655
Joined: Mon Jun 12, 2017 8:39 pm

Re: Seriously, who would advise anyone to use LM18.3 when it's third party sofware is DANGEROUSLY outdated?

Post by MrEen » Fri Aug 02, 2019 11:03 pm

Me.

As per here:
An issue was discovered in zlib_decompress_extra in
modules/demux/mkv/util.cpp in VideoLAN VLC media player 3.x through 3.0.7.
18.3 doesn't have access to any 3.x version of VLC so isn't affected.

I found another security issue regarding the library faad2 that VLC uses. Again, 18.3 not affected as it's not installed.

And other one is libebml4v5, which ubuntu has patched with version 1.3.3-1ubuntu0.1

Based on recent events, I wouldn't recommend downloading videos from unknown/untrusted sites then using VLC to play them. But then again, I wouldn't have recommended that before either.
carum carvi wrote:
Fri Aug 02, 2019 9:45 pm
Should there not be a warning attached to 3rd party software in older LinuxMint software?
How would you attach a warning to something that may have been downloaded 3 years ago? And it's Ubuntu software in this case, like almost everything in Software Manager is.

We do still get security updates when Ubuntu knows there's an issue. The biggest issue is getting users to apply the updates as so many recommended updating levels 1 and 2 only. I've recently seen a user of an 18.x version of Mint running a kernel that had received 60 updates since the one they were running. But kernels were a level 4 update so were never applied.

I'm not trying to rag on your post, as there is massively outdated software in the xenial repos. But the known security issues do usually get patched assuming the severity level is high enough.

sleeper12
Level 5
Level 5
Posts: 909
Joined: Thu May 25, 2017 3:22 pm

Re: Seriously, who would advise anyone to use LM18.3 when it's third party sofware is DANGEROUSLY outdated?

Post by sleeper12 » Fri Aug 02, 2019 11:04 pm

It begs the question why no vlc updates in update manager?

carum carvi
Level 5
Level 5
Posts: 973
Joined: Sun Apr 16, 2017 11:44 pm

Re: Seriously, who would advise anyone to use LM18.3 when it's third party sofware is DANGEROUSLY outdated?

Post by carum carvi » Fri Aug 02, 2019 11:29 pm

Ok. my bad. Thanks for that explanation Mr Een. I yelled FIRE without any reason. Sorry. :oops: Still you do reaffirm some of my worries about other outdated LinuxMint software in general. Vlc is not an issue, but some other LinuxMint software, might be...? Well, nothing is perfect of course...

But I must say that your explanation did gave me the reassurance that critical security issues in NEW software does NOT automatically mean that older software is affected as well. That is very comforting to know. I never realised that an older software version could be protected from new security bugs, simply by not using the newest software updates.

Phd21, thanks for your detailed solutions to solve the Vlc bug as well. You are always an incredibly resourceful help on this forum.

Sleeper12, there ARE security updates for Vlc. They have already been updated. Everybody is secure right now! Vlc was just an example, which I mistakingly used to prove a point about older software. I learned a good lesson here. Thanks everybody. Sorry for my ignorance... :oops:
Last edited by carum carvi on Fri Aug 02, 2019 11:38 pm, edited 1 time in total.

sleeper12
Level 5
Level 5
Posts: 909
Joined: Thu May 25, 2017 3:22 pm

Re: Seriously, who would advise anyone to use LM18.3 when it's third party sofware is DANGEROUSLY outdated?

Post by sleeper12 » Fri Aug 02, 2019 11:38 pm

Ok, gottcha, makes sense now.

User avatar
phd21
Level 19
Level 19
Posts: 9185
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: Seriously, who would advise anyone to use LM18.3 when it's third party sofware is DANGEROUSLY outdated?

Post by phd21 » Fri Aug 02, 2019 11:39 pm

Hi "carum carvi",
carum carvi wrote:Phd21, thanks for your detailed solutions to solve the Vlc bug as well. You are always an incredibly resourceful help on this forum.
You are welcome from all of us that replied...

... and Thank you.
Phd21: Mint KDE 18.3 & 19, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

User avatar
MrEen
Level 13
Level 13
Posts: 4655
Joined: Mon Jun 12, 2017 8:39 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is DANGEROUSLY outdated?

Post by MrEen » Fri Aug 02, 2019 11:44 pm

Not everything is fixed in the xenial version of VLC but I honestly don't know if it was affected in the first place. @smurphos's post in that other thread had some links to CVE's that said needed for xenial, but the CVE stated 3.x versions of VLC in all but one case and xenial is still at 2.2.

Again, some personal responsibility comes into play in most of the issues I've read about. But I know some can't resist that kittens_playing.mp4 email attachment.

User avatar
michael louwe
Level 10
Level 10
Posts: 3297
Joined: Sun Sep 11, 2016 11:18 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is DANGEROUSLY outdated?

Post by michael louwe » Sat Aug 03, 2019 12:15 am

sleeper12 wrote:
Fri Aug 02, 2019 11:04 pm
It begs the question why no vlc updates in update manager?
.
Some background information about this issue ... https://www.ghacks.net/2019/07/24/confu ... erability/ - Confusion about a recently disclosed vulnerability in VLC Media Player - July 24, 2019

It is the responsibility of Canonical PLC-Ubuntu to provide the latest VLC stable version, ie VLC 3.0.7, to all LTS-supported versions of Ubuntu and her derivatives like Linux Mint via the update channel. Somehow, Canonical Limited-Ubuntu has been shirking her responsiblity wrt VLC support in Ubuntu 16.04 and Ubuntu 18.04.

Videolan provides the latest VLC 3.0.7 downloads and installs for all supported versions of Windows(= Win 7/8.1/10) and MacOS.
....... Ubuntu 16.04/LM 18.x/18.04/LM 19.0 cannot install VLC 3.0.x except via Snap or Flatpack or Appimage. In comparison, Debian 9/Stretch provides VLC 3.0.x via updates. Canonical seems to be pushing her users onto Snap. May be time to abandon Ubuntu and move to a user-friendly Debian-based Linux distro like LMDE, MX-Linux/Anti-X and Sparkylinux.

User avatar
MrEen
Level 13
Level 13
Posts: 4655
Joined: Mon Jun 12, 2017 8:39 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is DANGEROUSLY outdated?

Post by MrEen » Sat Aug 03, 2019 12:31 am

libebml (1.3.3-1ubuntu0.1) xenial-security; urgency=medium

* SECURITY UPDATE: heap-based out of bounds read
- debian/patches/CVE-2019-13615-1.patch: check the max size to read
before actually reading in src/EbmlElement.cpp.
- debian/patches/CVE-2019-13615-2.patch: do not output an element with
size Unknown if it's not allowed in src/EbmlElement.cpp.
- debian/patches/CVE-2019-13615-3.patch: exit the max size loop when
there's nothing left possible to find in src/EbmlElement.cpp.
- debian/patches/CVE-2019-13615-4.patch: rework the way we look at the
end boundary when looking an element in a parent in
src/EbmlElement.cpp.
- CVE-2019-13615

-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 24 Jul 2019 14:03:37 -0400

User avatar
michael louwe
Level 10
Level 10
Posts: 3297
Joined: Sun Sep 11, 2016 11:18 pm

Re: Seriously, who would advise anyone to use LM18.3 when it's third party sofware is DANGEROUSLY outdated?

Post by michael louwe » Sat Aug 03, 2019 7:54 am

carum carvi wrote:
Fri Aug 02, 2019 9:45 pm
What I quickly realised though was the simple and terrifying FACT that the Vlc Mediaplayer in LM18.3 was NOT updated. It was still at version 2.2, while the LM19.1 and LM19.2 version of Vlc Mediaplayer was at version 3.0.7.1
.
There is an unofficial VLC 3.x PPA available for LM 18.3/LM 19.0/Ubuntu 16.04/Ubuntu 18.04 .......
https://www.omgubuntu.co.uk/2019/06/vlc ... all-ubuntu - VLC 3.0.7 Released with Improved MP4 Support, 42 Security Fixes - 16 June 2019

sleeper12
Level 5
Level 5
Posts: 909
Joined: Thu May 25, 2017 3:22 pm

Re: Seriously, who would advise anyone to use LM18.3 when it's third party sofware is DANGEROUSLY outdated?

Post by sleeper12 » Sun Aug 04, 2019 3:13 pm

michael louwe wrote:
Sat Aug 03, 2019 7:54 am
There is an unofficial VLC 3.x PPA available for LM 18.3/LM 19.0/Ubuntu 16.04/Ubuntu 18.04 .......
https://www.omgubuntu.co.uk/2019/06/vlc ... all-ubuntu - VLC 3.0.7 Released with Improved MP4 Support, 42 Security Fixes - 16 June 2019
I installed that on my Mint 18 and all went smoothly, no need to delete or remove anything beforehand. Thanks.
The Snap stuff gave me nothing but errors like "No such command", so I gave up on that.

User avatar
lsemmens
Level 8
Level 8
Posts: 2353
Joined: Wed Sep 10, 2014 9:07 pm
Location: Rural South Australia

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by lsemmens » Sun Aug 04, 2019 8:34 pm

Here's a silly thought. VLC 2 was working happily on millions of machines before this bug was discovered. Guess what? It will continue to work, even now. A good example is the TAKATA airbag problem, it is not going to affect you UNLESS you have an accident, THEN, and ONLY THEN will it affect you. How many kilometres have people driven with those faulty airbags and are still here to tell us about it. Should the airbags be fixed, HELL YEAH! Your life may rely on it. Are you likely to be using your airbag? I'd hope not, unless you were into extreme sports with a high chance of accident in your car. Same holds true for computers, the vulnerability is there, FACT, is it likely to affect the "average" user, unlikely, unless they are into "extreme sports" (read - norty things) on their computer.

The bottom line is, if you are able to drive the latest and greatest with the highest safety rating, then do so. If not, don't drive around as though everyone is out to get you or you'll cause more accidents. If your computer is capable of the latest and greatest and that latest and greatest is also FREE, why would you not use it. If your computer is NOT up to the latest and greatest, the only difference would be that you take a little more care on the "information highway".
Kernel: 4.15.0-46-generic x86_64 bits
Desktop: Cinnamon 3.8.9
Distro: Linux Mint 19 Tara

Laptop HP-ProBook-470-G2 8Gb RAM SSD
Server AMD Phenom 9650 - GEForce 9400GT 6Gb RAM
+ three other Mint machines
Out of my mind - please leave a message

sleeper12
Level 5
Level 5
Posts: 909
Joined: Thu May 25, 2017 3:22 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by sleeper12 » Sun Aug 04, 2019 9:58 pm

After all that, now I see there is an update in Update Manager. It figures. :lol:
I took the update, so is it ok to just remove the ppa's or what?

User avatar
michael louwe
Level 10
Level 10
Posts: 3297
Joined: Sun Sep 11, 2016 11:18 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by michael louwe » Sun Aug 04, 2019 11:06 pm

sleeper12 wrote:
Sun Aug 04, 2019 9:58 pm
After all that, now I see there is an update in Update Manager. It figures. :lol:
I took the update, so is it ok to just remove the ppa's or what?
I think that update is from and for the VLC 3.x PPA, as maintained/supported by the PPA's developer, ie the update is not from Ubuntu or LM. If VLC 3.x is working OK after the update, do not remove the PPA. "Do not fix what ain't broken".

User avatar
michael louwe
Level 10
Level 10
Posts: 3297
Joined: Sun Sep 11, 2016 11:18 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by michael louwe » Sun Aug 04, 2019 11:20 pm

lsemmens wrote:
Sun Aug 04, 2019 8:34 pm
Here's a silly thought. VLC 2 was working happily on millions of machines before this bug was discovered. Guess what? It will continue to work, even now. A good example is the TAKATA airbag problem, it is not going to affect you UNLESS you have an accident, THEN, and ONLY THEN will it affect you. How many kilometres have people driven with those faulty airbags and are still here to tell us about it. Should the airbags be fixed, HELL YEAH! Your life may rely on it.
In this case, Ubuntu does not seem to be fixing the problem for those affected users stuck on VLC 2.x, ie fixing it via the normal update channel and not via "beta" Snap packages. In comparison, the Takata problem is being gradually fixed due to the sheer number of affected users in many different countries. Cf .......
https://www.consumerreports.org/car-rec ... d-to-know/ - Takata Airbag Recall: Everything You Need to Know. What this recall means to you and what actions you should take - March 29, 2019
.
.
P S - Remember how the fixes for the Meltdown & Spectre bugs were issued for all supported versions of Ubuntu, ie Ubuntu 14.04, Ubuntu 16.04 and Ubuntu 17.10, in Jan-March 2018.?

sleeper12
Level 5
Level 5
Posts: 909
Joined: Thu May 25, 2017 3:22 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by sleeper12 » Sun Aug 04, 2019 11:38 pm

michael louwe wrote:
Sun Aug 04, 2019 11:06 pm
I think that update is from and for the VLC 3.x PPA, as maintained/supported by the PPA's developer, ie the update is not from Ubuntu or LM. If VLC 3.x is working OK after the update, do not remove the PPA. "Do not fix what ain't broken".
Since I already had 3.0.7.1, the update confused me. Now I'm not sure if I have vlc from the ppa or the update. It worked fine before & after, so I guess (hope) I'm good.

User avatar
smurphos
Level 12
Level 12
Posts: 4113
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by smurphos » Mon Aug 05, 2019 12:17 am

sleeper12 wrote:
Sun Aug 04, 2019 11:38 pm
Since I already had 3.0.7.1, the update confused me. Now I'm not sure if I have vlc from the ppa or the update. It worked fine before & after, so I guess (hope) I'm good.
You can check with the command apt policy vlc
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
michael louwe
Level 10
Level 10
Posts: 3297
Joined: Sun Sep 11, 2016 11:18 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by michael louwe » Mon Aug 05, 2019 12:51 am

sleeper12 wrote:
Sun Aug 04, 2019 11:38 pm
michael louwe wrote:
Sun Aug 04, 2019 11:06 pm
I think that update is from and for the VLC 3.x PPA, as maintained/supported by the PPA's developer, ie the update is not from Ubuntu or LM. If VLC 3.x is working OK after the update, do not remove the PPA. "Do not fix what ain't broken".
Since I already had 3.0.7.1, the update confused me. Now I'm not sure if I have vlc from the ppa or the update. It worked fine before & after, so I guess (hope) I'm good.
IIRC, for my LM 17.3 system, I had to first uninstall the preinstalled and upgraded normal version of Firefox 57 before installing Firefox 52.x ESR from a PPA. Otherwise, I experienced some conflicts, eg could not install legacy add-ons since I wanted to avoid the newly imposed web-extensions. Later, I uninstalled FF 52.x ESR and installed the newer FF 60.x ESR from a PPA.

So, if you still have VLC 2.x installed, you should uninstall it, so as not to have software conflicts and be confused with both VLC 2.x and VLC 3.x installed.
....... If by doing so presents a problem, ensure that both VLC 2.x and VLC 3.x are uninstalled, then reinstall only VLC 3.x via PPA.

sleeper12
Level 5
Level 5
Posts: 909
Joined: Thu May 25, 2017 3:22 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by sleeper12 » Mon Aug 05, 2019 2:17 am

smurphos wrote:
Mon Aug 05, 2019 12:17 am
You can check with the command apt policy vlc
Here's the results:

Code: Select all

 sleeper@sleeper-MM061 ~ $ apt policy vlc
vlc:
  Installed: 3.0.7.1-1~16.04.york0
  Candidate: 3.0.7.1-1~16.04.york0
  Version table:
 *** 3.0.7.1-1~16.04.york0 500
        500 http://ppa.launchpad.net/jonathonf/vlc-3/ubuntu xenial/main i386 Packages
        100 /var/lib/dpkg/status
     2.2.2-5ubuntu0.16.04.4 500
        500 http://mirror.cogentco.com/pub/linux/ubuntu xenial-updates/universe i386 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/universe i386 Packages
     2.2.2-5 500
        500 http://mirror.cogentco.com/pub/linux/ubuntu xenial/universe i386 Packages 
Does this look right? If not, what should I do?

Post Reply

Return to “Chat about Linux”