[SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Chat about Linux in general
User avatar
smurphos
Level 13
Level 13
Posts: 4769
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by smurphos » Mon Aug 05, 2019 2:29 am

sleeper12 wrote:
Mon Aug 05, 2019 2:17 am
Does this look right? If not, what should I do?
All good - you are running the PPA version at 3.0.7
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

sleeper12
Level 6
Level 6
Posts: 1298
Joined: Thu May 25, 2017 3:22 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by sleeper12 » Mon Aug 05, 2019 12:04 pm

smurphos wrote:
Mon Aug 05, 2019 2:29 am
sleeper12 wrote:
Mon Aug 05, 2019 2:17 am
Does this look right? If not, what should I do?
All good - you are running the PPA version at 3.0.7
8) Still not sure what the update was for though, but no harm done. Thanks to all.

carum carvi
Level 6
Level 6
Posts: 1029
Joined: Sun Apr 16, 2017 11:44 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by carum carvi » Fri Aug 09, 2019 8:45 pm

Just to be clear and to avoid misunderstandings I want to repeat the general conclusion of this thread, that anyone who applies all the regular updates will have gotten the newest and secure version of Vlc Mediaplayer. Anyone using the 2.x version in LM 18/18.1/18.2/18.3 is not affected and does not have to upgrade.

Sleeper12, whatever version you are using right now, you can be sure it is the safe and secure version. In the software manager you can see which version(s) of Vlc you have got installed. Simply open the Software Manager, type in "Vlc" and whatever version of Vlc that is installed, will be listed there. You can remove the Flatpak version if it is installed and keep using the regular LinuxMint Vlc version. Or the other way around. The flatpak version eats up diskspace (over 1 GB) though, so I have removed the Vlc Flatpak version myself and kept the regular Vlc version, LinuxMint offered to me via the Update Manager weeks ago.
Last edited by carum carvi on Sat Aug 10, 2019 3:05 am, edited 1 time in total.

sleeper12
Level 6
Level 6
Posts: 1298
Joined: Thu May 25, 2017 3:22 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by sleeper12 » Fri Aug 09, 2019 9:26 pm

No problem, I have the PPA version 3.0.7.1 showing in package manager & vlc itself says 3.0.7.1.
Last edited by sleeper12 on Sat Aug 10, 2019 1:27 am, edited 1 time in total.

User avatar
michael louwe
Level 10
Level 10
Posts: 3300
Joined: Sun Sep 11, 2016 11:18 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by michael louwe » Fri Aug 09, 2019 9:50 pm

carum carvi wrote:
Fri Aug 09, 2019 8:45 pm
Just to be clear and to avoid misunderstandings I want to repeat the general conclusion of this thread, that anyone who applies all the regular updates will have gotten the newest and secure version of Vlc Mediaplayer. Anyone using the 2.x version in LM 18/18.1/18.2/18.3 is not affected and does not have to upgrade.
.
AFAIK, that is the wrong conclusion, ie VLC 3.0.7 has one less CVE vulnerability than VLC 2.2.x.

Ubuntu 18.04 or earlier and LM 19.0 or earlier do provide VLC upgrades from VLC 2.2.x to VLC 3.0.7 but only via Snap or Flatpack packages respectively, ie no longer via the normal Update Manager. Seems Canonical Ltd is pushing Ubuntu users onto her walled-off Snap Store.
....... Ubuntu 18.04.1 and LM 19.1 or later come with VLC 3.0.7 in the repositories for the users to manually install via Software Manager. After install, it will be updated by Ubuntu to VLC 3.0.7.x via Update Manager.

In comparison, Canonical Ltd is still providing upgrades to the latest versions of the Firefox browser for both Ubuntu 16.04.x and 18.04.x via Update Manager, though a bit later than Windows users. The latest Firefox version is also available in the Snap Store.
....... This difference from VLC is likely because Firefox come preinstalled in Ubuntu.

In conclusion, all users of supported versions of desktop Linux should be running VLC 3.0.7.x or later, either via manual install of VLC 3.0.7 on the latest Linux versions(eg Ubuntu 18.04.2 or LM 19.2) or upgrade from VLC 2.2.x to VLC 3.0.7 via PPA, Snap or Flatpack packages on the older Linux versions(eg Ubuntu 16.04.3 or LM 18.3).
Last edited by michael louwe on Fri Aug 09, 2019 11:51 pm, edited 1 time in total.

User avatar
smurphos
Level 13
Level 13
Posts: 4769
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by smurphos » Fri Aug 09, 2019 10:34 pm

michael louwe wrote:
Fri Aug 09, 2019 9:50 pm
Ubuntu 18.04 or earlier and LM 19.0 or earlier do provide VLC upgrades from VLC 2.2.x to VLC 3.0.7 but only via Snap or Flatpack packages respectively, ie no longer via the normal Update Manager. Seems Canonical Ltd is pushing Ubuntu users onto her walled-off Snap Store.
....... Ubuntu 18.04.1 and LM 19.1 or later come with VLC 3.0.7 in the repositories for the users to manually install via Software Manager. After install, it will be updated by Ubuntu to VLC 3.0.7.x via Update Manager..
Michael your fact are still not quite straight - all the Mint 19.x versions and all the Ubuntu 18.04.x versions use the same Ubuntu bionic repos - they all have 3.0.7 available via those regular repos as an update.

Agreed the version 2.x of VLC from the repos in 18.x still needs patching - Ubuntu say those themselves for CVE-2019-5439 which affects any VLC < 3.07.
Last edited by smurphos on Sat Aug 10, 2019 12:29 am, edited 1 time in total.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
michael louwe
Level 10
Level 10
Posts: 3300
Joined: Sun Sep 11, 2016 11:18 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by michael louwe » Fri Aug 09, 2019 11:47 pm

smurphos wrote:...
.
AFAIK:

As per https://www.ghacks.net/2018/02/07/vlc-3 ... r-release/ , VLC 3.0 was released in mid-Feb 2018 and Ubuntu 18.04 LTS was released in mid-April 2018. So, it was very likely that Ubuntu 18.04 was released in April 2018 with VLC 2.2.x in the Ubuntu repositories and not VLC 3.0, as implied by https://linuxize.com/post/how-to-instal ... ntu-18-04/ and the OP. IOW, in April 2018, those initial Ubuntu 18.04 LTS users would be manually installing VLC 2.2.x, not VLC 3.0.

Likely, only sometime much later after the first release of Ubuntu 18.04 LTS in April 2018, was the Ubuntu repositories updated/refreshed from VLC 2.2.x to VLC 3.0.x, so that those who ran Ubuntu 18.04 with updated/refreshed repositories sometime after April 2018(eg in Aug 2018), would be manually installing VLC 3.0.x, instead of VLC 2.2.x.

Anyway, Ubuntu 16.04.x and LM 18.x users were definitely running VLC 2.x by default or at first install of the OS and VLC.

User avatar
smurphos
Level 13
Level 13
Posts: 4769
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by smurphos » Sat Aug 10, 2019 12:32 am

18.04 and Mint 19 originally shipped with 3.0.1-3 - no need for guesswork or resorting to poorly informed tech blogs :wink:

https://packages.ubuntu.com/search?keywords=vlc

or from a 19.x machine

Code: Select all

steve@steve-Inspiron-5580:~$ apt policy vlc
vlc:
  Installed: 3.0.7.1-0ubuntu18.04.1
  Candidate: 3.0.7.1-0ubuntu18.04.1
  Version table:
 *** 3.0.7.1-0ubuntu18.04.1 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     3.0.1-3build1 500
        500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
Also - http://changelogs.ubuntu.com/changelogs ... /changelog

11 Mar 2018 was the date 3.0.1.-3 was added to the (at the time beta pre-release) bionic repos.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
michael louwe
Level 10
Level 10
Posts: 3300
Joined: Sun Sep 11, 2016 11:18 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by michael louwe » Sat Aug 10, 2019 2:33 am

smurphos wrote:.18.04 and Mint 19 originally shipped with 3.0.1-3 - no need for guesswork or resorting to poorly informed tech blogs :wink:..
.
. About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.......
.
The reporter is using Ubuntu 18.04, which is an old version of Ubuntu, and clearly has not all the updated libraries.
https://twitter.com/videolan/status/115 ... 3-0-7-1%2F
https://trac.videolan.org/vlc/ticket/22474

To clarify, when Ubuntu 18.04 was first released in mid-April 2018, it came with VLC 3.0.1.x which was vulnerable to the CVE bug. Only VLC 3.0.3.x or later was not vulnerable.
Last edited by michael louwe on Sat Aug 10, 2019 6:29 am, edited 1 time in total.

User avatar
smurphos
Level 13
Level 13
Posts: 4769
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by smurphos » Sat Aug 10, 2019 2:56 am

michael louwe wrote:
Sat Aug 10, 2019 2:33 am
the CVE bug
Which one? There were 5 unpatched at one point IIRC - one of which was not VLC at all, but libebml which is a library from Matroksa. That only got fixed very recently in Debian & Ubuntu irrespective of VLC version because when Matroksa found and fixed the flaw upstream circa 18 months ago or whatever they never assigned a CVE so Debian / Ubuntu etc had no idea....

The libebml vulnerability is now patched in both 18.x and 19.x even with VLC 2.2.x in 18.x
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

carum carvi
Level 6
Level 6
Posts: 1029
Joined: Sun Apr 16, 2017 11:44 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by carum carvi » Sat Aug 10, 2019 3:45 am

smurphos wrote:
Fri Aug 09, 2019 10:34 pm
Agreed the version 2.x of VLC from the repos in 18.x still needs patching - Ubuntu say those themselves for CVE-2019-5439 which affects any VLC < 3.07.
The (above mentioned) security issue published by the VLc team themselves:
https://www.videolan.org/security/sa1901.html

My apologies, that I misunderstood the information that I have read before.

I would like to give the less informed user (like myself) a cut and dry advice/conclusion. So, is it safe to state the following?

All the LM19/19.1/19.2 users are safe and secure and will have already automatically updated to the newest safe and secure Vlc version.
All the LM 18/18.1/18.2/18.3 users are not updated yet and are (in theory at least) still vulnerable.


I installed LM18.3 at the end of july and Vlc version 2.2 was indeed still being used, even after downloading all the newest updates. I have also read though that the Vlc team (although perhaps not an objective party) mentioned that they themselves were not able to reproduce the bug in real life. If that's true, the question that remains if there is a real security issue to be worry about it? Other forummembers already gave the sound advice to use common sense when downloading videos, but that is indeed the same as saying to a playful kitten that he/she should remain calm and not tear down the newly bought couch... :D

For all those presumed vulnerable LM 18/18.1/18.2/18.3 LinuxMint users out there, they are able to upgrade to the safe and secure newest Vlc version by simply manually installing the Vlc Flatpak version from within the familiar and trusted Software Manager in LinuxMint.

michael louwe wrote:
Fri Aug 09, 2019 9:50 pm
Ubuntu 18.04 or earlier and LM 19.0 or earlier do provide VLC upgrades from VLC 2.2.x to VLC 3.0.7 but only via Snap or Flatpack packages respectively, ie no longer via the normal Update Manager.

User avatar
michael louwe
Level 10
Level 10
Posts: 3300
Joined: Sun Sep 11, 2016 11:18 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by michael louwe » Sat Aug 10, 2019 3:49 am

smurphos wrote:. The libebml vulnerability is now patched in both 18.x and 19.x even with VLC 2.2.x in 18.x.
.
Are you sure.?

As per http://changelogs.ubuntu.com/changelogs ... rse/v/vlc/ and http://changelogs.ubuntu.com/changelogs ... /changelog , the last patch/update from Ubuntu for VLC 2.2.x was dated 6 Dec 2017, quite long before videolan.org patched the aforementioned CVE bug in May 2018 with the release of VLC 3.0.3 (= 16 months ago)

So, it's unlikely that VLC 2.2.x in LM 18.x or Ubuntu 16.04.x has been patched by Ubuntu for the aforementioned CVE bug via Update Manager.

User avatar
smurphos
Level 13
Level 13
Posts: 4769
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by smurphos » Sat Aug 10, 2019 4:03 am

michael louwe wrote:
Sat Aug 10, 2019 3:49 am
smurphos wrote:. The libebml vulnerability is now patched in both 18.x and 19.x even with VLC 2.2.x in 18.x.
.
Are you sure.?
Wrong changelogs - remember that one wasn't a VLC bug at all in linux as the library isn't shipped by VLC

19.x - http://changelogs.ubuntu.com/changelogs ... /changelog

18.x - http://changelogs.ubuntu.com/changelogs ... /changelog
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
michael louwe
Level 10
Level 10
Posts: 3300
Joined: Sun Sep 11, 2016 11:18 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by michael louwe » Sat Aug 10, 2019 4:10 am

carum carvi wrote:
Sat Aug 10, 2019 3:45 am
The (above mentioned) security issue published by the VLc team themselves:
https://www.videolan.org/security/sa1901.html
Your's refer to CVE-2019-5439, CVE-2019-12874.

https://www.ghacks.net/2019/07/24/confu ... erability/ or the issue/one we are talking about refers to the "bogus" CVE-2019-13615 reported by someone running Ubuntu 18.04 in June or July 2019 with a not-up-to-date or unpatched VLC 3.0.1.x or 3.0.2.x = the reporter should be running Ubuntu 18.04 with VLC 3.0.7.x or VLC 3.0.6.x or the already-patched VLC 3.0.7.x on Ubuntu 18.04.1 or 18.04.2.
Last edited by michael louwe on Sat Aug 10, 2019 4:56 am, edited 1 time in total.

User avatar
smurphos
Level 13
Level 13
Posts: 4769
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by smurphos » Sat Aug 10, 2019 4:11 am

carum carvi wrote:
Sat Aug 10, 2019 3:45 am

All the LM19/19.1/19.2 users are safe and secure and will have already automatically updated to the newest safe and secure Vlc version.
All the LM 18/18.1/18.2/18.3 users are not updated yet and are (in theory at least) still vulnerable.
That is my understanding - the particular vulnerability that is still unpatched in 18.x is this one https://people.canonical.com/~ubuntu-se ... -5439.html. It's a vulnerability that could be exploited by a malicious .avi file.

The mkv vulnerability in VLC (not in libebml!) - https://people.canonical.com/~ubuntu-se ... 12874.html still says it needs patching for 18.x but if you take the description at face value didn't actually affect VLC prior to version 3.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
michael louwe
Level 10
Level 10
Posts: 3300
Joined: Sun Sep 11, 2016 11:18 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by michael louwe » Sat Aug 10, 2019 4:22 am

smurphos wrote:
Sat Aug 10, 2019 4:03 am
michael louwe wrote:
Sat Aug 10, 2019 3:49 am
smurphos wrote:. The libebml vulnerability is now patched in both 18.x and 19.x even with VLC 2.2.x in 18.x.
.
Are you sure.?
Wrong changelogs - remember that one wasn't a VLC bug at all in linux as the library isn't shipped by VLC

19.x - http://changelogs.ubuntu.com/changelogs ... /changelog

18.x - http://changelogs.ubuntu.com/changelogs ... /changelog
.
Thank you for the clarification.

Did the patch/update for libebml in Ubuntu 16.04.x/LM 18.x by Canonical-Ubuntu also automatically patched VLC 2.2.x running on LM 18.x or Ubuntu 16.04.x; or it needed videolan.org to apply the libebml patch to VLC 2.2.x before sending the patched VLC 2.2.x+1 to Ubuntu for updating via Update Manager.?

User avatar
smurphos
Level 13
Level 13
Posts: 4769
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by smurphos » Sat Aug 10, 2019 4:40 am

michael louwe wrote:
Sat Aug 10, 2019 4:22 am
Did the patch/update for libebml in Ubuntu 16.04.x/LM 18.x by Canonical-Ubuntu also automatically patched VLC 2.2.x running on LM 18.x or Ubuntu 16.04.x; or it needed videolan.org to apply the libebml patch to VLC 2.2.x before sending the patched VLC 2.2.x+1 to Ubuntu for updating via Update Manager.?
Yep, videolan wouldn't need to do anything - the repo version of VLC will use whatever libebml version is on the system.

The Flatpak version on the other hands ships it's own libebml version - i believe it pulls in the upstream version directly from Matroska.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
michael louwe
Level 10
Level 10
Posts: 3300
Joined: Sun Sep 11, 2016 11:18 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by michael louwe » Sat Aug 10, 2019 6:01 am

smurphos wrote:...
Thank you for your reply regarding CVE-2019-13615 being patched for VLC 2.x(on Ubuntu 16.04.x/LM 18.x) and VLC 3.x(on Ubuntu 18.04.x/LM 19.x) by the libebml update from Canonical Ltd dated 24 July 2019..

OTOH, CVE-2018-19857, CVE-2019-5439, CVE-2019-12874 and CVE-2019-13602 which directly affect VLC 3.0.6 and earlier have not been patched by Canonical Ltd for VLC 2.x running on Ubuntu 16.04.x/LM 18.x, ie have only been patched for VLC 3.0.7.1 running on Ubuntu 18.04.1/LM 19.1 or later.

The last update for VLC 2.x on Ubuntu 16.04.x from Canonical via Update Manager was dated 6 Dec 2017.! = seems Canonical wants to push such users to update/upgrade to VLC 3.0.7.x via Snap packages.

If I may say, in conclusion, in order for VLC to be fully patched on all supported versions of Ubuntu/LM, users should run the latest up-to-date version of VLC, ie VLC 3.0.7.x, especially those running Ubuntu 16.04.x/LM 18.x, either via Update Manager or Snap or Flatpack or PPA packages.
.
.
The likely end-game of Canonical Ltd is to have all apps/programs in Ubuntu running as Snap packages by default, installable from her walled-off Snap Store, like the walled-off Google Play Store and Apple App Store.

sleeper12
Level 6
Level 6
Posts: 1298
Joined: Thu May 25, 2017 3:22 pm

Re: [SOLVED] Seriously, who would advise anyone to use LM18.3 when it's third party sofware is outdated?

Post by sleeper12 » Thu Sep 12, 2019 10:22 pm

On Mint 19, I got updated to VLC 3.0.8 today. On Mint 18, I still have 3.0.7.1. Just wondering if an update will be coming. Anyone get it yet on Mint 18 +?

Edit: I started a new thread for this:
viewtopic.php?f=47&t=301712&p=1685946#p1685946

Post Reply

Return to “Chat about Linux”