[SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

[smurphos]

Does this look right? If not, what should I do?

All good - you are running the PPA version at 3.0.7

[sleeper12]

Does this look right? If not, what should I do?

All good - you are running the PPA version at 3.0.7

Still not sure what the update was for though, but no harm done. Thanks to all.

[carum carvi]

Just to be clear and to avoid misunderstandings I want to repeat the general conclusion of this thread, that anyone who applies all the regular updates will have gotten the newest and secure version of Vlc Mediaplayer. Anyone using the 2.x version in LM 18/18.1/18.2/18.3 is not affected and does not have to upgrade.

Sleeper12, whatever version you are using right now, you can be sure it is the safe and secure version. In the software manager you can see which version(s) of Vlc you have got installed. Simply open the Software Manager, type in "Vlc" and whatever version of Vlc that is installed, will be listed there. You can remove the Flatpak version if it is installed and keep using the regular LinuxMint Vlc version. Or the other way around. The flatpak version eats up diskspace (over 1 GB) though, so I have removed the Vlc Flatpak version myself and kept the regular Vlc version, LinuxMint offered to me via the Update Manager weeks ago.

[sleeper12]

No problem, I have the PPA version 3.0.7.1 showing in package manager & vlc itself says 3.0.7.1.

[michael louwe]

Just to be clear and to avoid misunderstandings I want to repeat the general conclusion of this thread, that anyone who applies all the regular updates will have gotten the newest and secure version of Vlc Mediaplayer. Anyone using the 2.x version in LM 18/18.1/18.2/18.3 is not affected and does not have to upgrade.

.
AFAIK, that is the wrong conclusion, ie VLC 3.0.7 has one less CVE vulnerability than VLC 2.2.x.

Ubuntu 18.04 or earlier and LM 19.0 or earlier do provide VLC upgrades from VLC 2.2.x to VLC 3.0.7 but only via Snap or flatpak packages respectively, ie no longer via the normal Update Manager. Seems Canonical Ltd is pushing Ubuntu users onto her walled-off Snap Store.
....... Ubuntu 18.04.1 and LM 19.1 or later come with VLC 3.0.7 in the repositories for the users to manually install via Software Manager. After install, it will be updated by Ubuntu to VLC 3.0.7.x via Update Manager.

In comparison, Canonical Ltd is still providing upgrades to the latest versions of the Firefox browser for both Ubuntu 16.04.x and 18.04.x via Update Manager, though a bit later than Windows users. The latest Firefox version is also available in the Snap Store.
....... This difference from VLC is likely because Firefox come preinstalled in Ubuntu.

In conclusion, all users of supported versions of desktop Linux should be running VLC 3.0.7.x or later, either via manual install of VLC 3.0.7 on the latest Linux versions(eg Ubuntu 18.04.2 or LM 19.2) or upgrade from VLC 2.2.x to VLC 3.0.7 via PPA, Snap or flatpak packages on the older Linux versions(eg Ubuntu 16.04.3 or LM 18.3).

[smurphos]

Ubuntu 18.04 or earlier and LM 19.0 or earlier do provide VLC upgrades from VLC 2.2.x to VLC 3.0.7 but only via Snap or flatpak packages respectively, ie no longer via the normal Update Manager. Seems Canonical Ltd is pushing Ubuntu users onto her walled-off Snap Store.
....... Ubuntu 18.04.1 and LM 19.1 or later come with VLC 3.0.7 in the repositories for the users to manually install via Software Manager. After install, it will be updated by Ubuntu to VLC 3.0.7.x via Update Manager..

Michael your fact are still not quite straight - all the Mint 19.x versions and all the Ubuntu 18.04.x versions use the same Ubuntu bionic repos - they all have 3.0.7 available via those regular repos as an update.

Agreed the version 2.x of VLC from the repos in 18.x still needs patching - Ubuntu say those themselves for CVE-2019-5439 which affects any VLC < 3.07.

[michael louwe]

...

.
AFAIK:

As per https://www.ghacks.net/2018/02/07/vlc-3 ... r-release/ , VLC 3.0 was released in mid-Feb 2018 and Ubuntu 18.04 LTS was released in mid-April 2018. So, it was very likely that Ubuntu 18.04 was released in April 2018 with VLC 2.2.x in the Ubuntu repositories and not VLC 3.0, as implied by https://linuxize.com/post/how-to-instal ... ntu-18-04/ and the OP. IOW, in April 2018, those initial Ubuntu 18.04 LTS users would be manually installing VLC 2.2.x, not VLC 3.0.

Likely, only sometime much later after the first release of Ubuntu 18.04 LTS in April 2018, was the Ubuntu repositories updated/refreshed from VLC 2.2.x to VLC 3.0.x, so that those who ran Ubuntu 18.04 with updated/refreshed repositories sometime after April 2018(eg in Aug 2018), would be manually installing VLC 3.0.x, instead of VLC 2.2.x.

Anyway, Ubuntu 16.04.x and LM 18.x users were definitely running VLC 2.x by default or at first install of the OS and VLC.

[smurphos]

18.04 and Mint 19 originally shipped with 3.0.1-3 - no need for guesswork or resorting to poorly informed tech blogs

https://packages.ubuntu.com/search?keywords=vlc

or from a 19.x machine

Code: Select all

steve@steve-Inspiron-5580:~$ apt policy vlc
vlc:
  Installed: 3.0.7.1-0ubuntu18.04.1
  Candidate: 3.0.7.1-0ubuntu18.04.1
  Version table:
 *** 3.0.7.1-0ubuntu18.04.1 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     3.0.1-3build1 500
        500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

Also - http://changelogs.ubuntu.com/changelogs ... /changelog

11 Mar 2018 was the date 3.0.1.-3 was added to the (at the time beta pre-release) bionic repos.

[michael louwe]

.18.04 and Mint 19 originally shipped with 3.0.1-3 - no need for guesswork or resorting to poorly informed tech blogs ..

.

. About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.......
.
The reporter is using Ubuntu 18.04, which is an old version of Ubuntu, and clearly has not all the updated libraries.

https://twitter.com/videolan/status/115 ... 3-0-7-1%2F
https://trac.videolan.org/vlc/ticket/22474

To clarify, when Ubuntu 18.04 was first released in mid-April 2018, it came with VLC 3.0.1.x which was vulnerable to the CVE bug. Only VLC 3.0.3.x or later was not vulnerable.

[smurphos]

the CVE bug

Which one? There were 5 unpatched at one point IIRC - one of which was not VLC at all, but libebml which is a library from Matroksa. That only got fixed very recently in Debian & Ubuntu irrespective of VLC version because when Matroksa found and fixed the flaw upstream circa 18 months ago or whatever they never assigned a CVE so Debian / Ubuntu etc had no idea....

The libebml vulnerability is now patched in both 18.x and 19.x even with VLC 2.2.x in 18.x

[carum carvi]

Agreed the version 2.x of VLC from the repos in 18.x still needs patching - Ubuntu say those themselves for CVE-2019-5439 which affects any VLC < 3.07.

The (above mentioned) security issue published by the VLc team themselves:
https://www.videolan.org/security/sa1901.html

My apologies, that I misunderstood the information that I have read before.

I would like to give the less informed user (like myself) a cut and dry advice/conclusion. So, is it safe to state the following?

All the LM19/19.1/19.2 users are safe and secure and will have already automatically updated to the newest safe and secure Vlc version.
All the LM 18/18.1/18.2/18.3 users are not updated yet and are (in theory at least) still vulnerable.

I installed LM18.3 at the end of july and Vlc version 2.2 was indeed still being used, even after downloading all the newest updates. I have also read though that the Vlc team (although perhaps not an objective party) mentioned that they themselves were not able to reproduce the bug in real life. If that's true, the question that remains if there is a real security issue to be worry about it? Other forummembers already gave the sound advice to use common sense when downloading videos, but that is indeed the same as saying to a playful kitten that he/she should remain calm and not tear down the newly bought couch...

For all those presumed vulnerable LM 18/18.1/18.2/18.3 LinuxMint users out there, they are able to upgrade to the safe and secure newest Vlc version by simply manually installing the Vlc Flatpak version from within the familiar and trusted Software Manager in LinuxMint.

Ubuntu 18.04 or earlier and LM 19.0 or earlier do provide VLC upgrades from VLC 2.2.x to VLC 3.0.7 but only via Snap or flatpak packages respectively, ie no longer via the normal Update Manager.

[michael louwe]

. The libebml vulnerability is now patched in both 18.x and 19.x even with VLC 2.2.x in 18.x.

.
Are you sure.?

As per http://changelogs.ubuntu.com/changelogs ... rse/v/vlc/ and http://changelogs.ubuntu.com/changelogs ... /changelog , the last patch/update from Ubuntu for VLC 2.2.x was dated 6 Dec 2017, quite long before videolan.org patched the aforementioned CVE bug in May 2018 with the release of VLC 3.0.3 (= 16 months ago)

So, it's unlikely that VLC 2.2.x in LM 18.x or Ubuntu 16.04.x has been patched by Ubuntu for the aforementioned CVE bug via Update Manager.

[smurphos]

. The libebml vulnerability is now patched in both 18.x and 19.x even with VLC 2.2.x in 18.x.

.
Are you sure.?

Wrong changelogs - remember that one wasn't a VLC bug at all in linux as the library isn't shipped by VLC

19.x - http://changelogs.ubuntu.com/changelogs ... /changelog

18.x - http://changelogs.ubuntu.com/changelogs ... /changelog

[michael louwe]

The (above mentioned) security issue published by the VLc team themselves:
https://www.videolan.org/security/sa1901.html

Your's refer to CVE-2019-5439, CVE-2019-12874.

https://www.ghacks.net/2019/07/24/confu ... erability/ or the issue/one we are talking about refers to the "bogus" CVE-2019-13615 reported by someone running Ubuntu 18.04 in June or July 2019 with a not-up-to-date or unpatched VLC 3.0.1.x or 3.0.2.x = the reporter should be running Ubuntu 18.04 with VLC 3.0.7.x or VLC 3.0.6.x or the already-patched VLC 3.0.7.x on Ubuntu 18.04.1 or 18.04.2.

[smurphos]

All the LM19/19.1/19.2 users are safe and secure and will have already automatically updated to the newest safe and secure Vlc version.
All the LM 18/18.1/18.2/18.3 users are not updated yet and are (in theory at least) still vulnerable.

That is my understanding - the particular vulnerability that is still unpatched in 18.x is this one https://people.canonical.com/~ubuntu-se ... -5439.html. It's a vulnerability that could be exploited by a malicious .avi file.

The mkv vulnerability in VLC (not in libebml!) - https://people.canonical.com/~ubuntu-se ... 12874.html still says it needs patching for 18.x but if you take the description at face value didn't actually affect VLC prior to version 3.

[michael louwe]

. The libebml vulnerability is now patched in both 18.x and 19.x even with VLC 2.2.x in 18.x.

.
Are you sure.?

Wrong changelogs - remember that one wasn't a VLC bug at all in linux as the library isn't shipped by VLC

19.x - http://changelogs.ubuntu.com/changelogs ... /changelog

18.x - http://changelogs.ubuntu.com/changelogs ... /changelog

.
Thank you for the clarification.

Did the patch/update for libebml in Ubuntu 16.04.x/LM 18.x by Canonical-Ubuntu also automatically patched VLC 2.2.x running on LM 18.x or Ubuntu 16.04.x; or it needed videolan.org to apply the libebml patch to VLC 2.2.x before sending the patched VLC 2.2.x+1 to Ubuntu for updating via Update Manager.?

[smurphos]

Did the patch/update for libebml in Ubuntu 16.04.x/LM 18.x by Canonical-Ubuntu also automatically patched VLC 2.2.x running on LM 18.x or Ubuntu 16.04.x; or it needed videolan.org to apply the libebml patch to VLC 2.2.x before sending the patched VLC 2.2.x+1 to Ubuntu for updating via Update Manager.?

Yep, videolan wouldn't need to do anything - the repo version of VLC will use whatever libebml version is on the system.

The Flatpak version on the other hands ships it's own libebml version - i believe it pulls in the upstream version directly from Matroska.

[michael louwe]

...

Thank you for your reply regarding CVE-2019-13615 being patched for VLC 2.x(on Ubuntu 16.04.x/LM 18.x) and VLC 3.x(on Ubuntu 18.04.x/LM 19.x) by the libebml update from Canonical Ltd dated 24 July 2019..

OTOH, CVE-2018-19857, CVE-2019-5439, CVE-2019-12874 and CVE-2019-13602 which directly affect VLC 3.0.6 and earlier have not been patched by Canonical Ltd for VLC 2.x running on Ubuntu 16.04.x/LM 18.x, ie have only been patched for VLC 3.0.7.1 running on Ubuntu 18.04.1/LM 19.1 or later.

The last update for VLC 2.x on Ubuntu 16.04.x from Canonical via Update Manager was dated 6 Dec 2017.! = seems Canonical wants to push such users to update/upgrade to VLC 3.0.7.x via Snap packages.

If I may say, in conclusion, in order for VLC to be fully patched on all supported versions of Ubuntu/LM, users should run the latest up-to-date version of VLC, ie VLC 3.0.7.x, especially those running Ubuntu 16.04.x/LM 18.x, either via Update Manager or Snap or flatpak or PPA packages.
.
.
The likely end-game of Canonical Ltd is to have all apps/programs in Ubuntu running as Snap packages by default, installable from her walled-off Snap Store, like the walled-off Google Play Store and Apple App Store.

[sleeper12]

On Mint 19, I got updated to VLC 3.0.8 today. On Mint 18, I still have 3.0.7.1. Just wondering if an update will be coming. Anyone get it yet on Mint 18 +?

Edit: I started a new thread for this:
viewtopic.php?f=47&t=301712&p=1685946#p1685946