Is VLC from the Ubuntu LTS official repository insecure?



  • Often it is impossible at first sight to understand if a package in a repository is up-to-date with security fixes, because the maintainers use a different naming when applying the patches to old branches. So for example, while Foo version 1.2.3 might be old and insecure, version Foo 1.2.3-ubuntu123 might contain security patches and be as secure as the latest Foo version 1.5.7. It seems to me there's no easy way to find out whether all patches have been applied, unless you check and compare the changelogs.

    However I just tried checking the status of the VLC package in the latest Ubuntu LTS (20.04 Focal Fossa), and to me it looks like it's never been patched and has at least a few vulnerabilities discovered in the last year or so. But that would be pretty worrying, something I would not expect from one of the most popular applications on a LTS release of one of the major distributions. So maybe there's something wrong with my reasoning. Here's what I did:

    • Checked available version in Ubuntu's repos: VLC 3.0.9.2-1 (using apt show vlc, also see https://packages.ubuntu.com/focal/vlc )
    • Checked latest version on VLC's website: VLC 3.0.14
    • Checked the changelog of VLC 3.0.9.2-1: it was released in April 2020. See: https://changelogs.ubuntu.com/changelogs/pool/universe/v/vlc/vlc_3.0.9.2-1/changelog
    • Checked VLC security advisories: https://www.videolan.org/security/
    • Noticed that there are at least three versions released after April 2020 that fixed several security vulnerabilities (versions: 3.0.11, 3.0.12, 3.0.13).
    • Conclusion: VLC 3.0.9.2-1 from Ubuntu's repo cannot include security fixes that came out after April 2020, and considering that Ubuntu 20.04 was released in April 2020, the VLC package maybe was never even updated.

    By the way, I noticed that in the security page on VLC's website there are no "security advisories" after 2019, yet there are "security bulletins" related to the releases, so could it be that the repo maintainers missed the fact that VLC had security issues in 2020? Also, the VLC change log looks a bit weird to me, because if you look for "security" the first section named "security" is in "changes between 3.0.6 and 3.0.7". Before that, the word "security" is first mentioned in a "misc" section about "changes between 3.0.x and 4.0.0-dev". I wonder if the repo maintainers thought there were nothing to fix because there isn't a section named "security" for the latest versions.

    Anyway, the question is: is my reasoning correct, and therefore the current VLC package provided by the official repos of Ubuntu LTS 20.04 Focal Fossa is actually insecure because some vulnerabilities have not been patched? If so, shouldn't this be something very worrying about one of the most popular packages in one of the most popular distros? If my reasoning is wrong instead, where is the mistake? Is there a better way to check if a package has been patched, or can we only hope everything is ok and trust the maintainers?



  • is my reasoning correct, and therefore the current VLC package provided by the official repos of Ubuntu LTS 20.04 Focal Fossa is actually insecure because some vulnerabilities have not been patched?

    It looks that way.

    If so, shouldn't this be something very worrying about one of the most popular packages in one of the most popular distros?

    The package is from the universe component, which is explicitly marked as unsupported and not guaranteeing security updates. If you install a package from a component that doesn't receive security updates, you shouldn't be surprised that the package doesn't receive security updates.

    Components

    Ubuntu has four official components that differ in whether or not the software provided in them is free and whether or not the software provided in them is supported:

    Free Non-free
    Supported main restricted
    Unsupported universe multiverse

    Note that the meaning for "supported" is slightly different between the main and restricted components: in the main repository, Canonical takes responsibility for providing updates to the packages. In the restricted repository, without access to the source code, Canonical obviously cannot do that, so all they promise is that they will forward bugs to the developers and updates from the developers. But if a package in restricted has a security vulnerability, and the developers do not patch it, there is nothing Canonical can do about it.

    Note also that restricted is not a random dump of proprietary software. It is solely intended for critical components required for running Ubuntu, i.e. mostly proprietary drivers without which Ubuntu wouldn't be able to boot or function.

    Repositories

    In addition to multiple components per repository, Ubuntu also has multiple repositories per release:

    • ${release}: Don’t touch it, I like consistency, even with my bugs.
    • ${release}-security: I’ll accept patches to existing versions (and very rare version upgrades if absolutely necessary) in the process of keeping my system secure.
    • ${release}-updates: Okay, some bugs are worth fixing, and I trust you this much (holds up two fingers like Maxwell Smart).
    • ${release}-backports: I have something akin to technology ADHD, needing the latest of everything I can possibly get, but I can’t handle running the development branch.

    Conclusion

    You can only expect security updates for packages in the main component, and furthermore, you will only get security updates from the ${release}-security repository. You will also get security updates from the ${release}-updates and ${release}-backports repositories, but you might also get new and breaking features, or new features with new security vulnerabilities.

    VLC is in universe, not in main, therefore you cannot expect any updates, including security fixes.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2