0-day just announced in popular linux distros

Just read Ars Technica’s coverage of a zero day exploit in Linux of something associated with GStreamer (I guess it’s a software library: libgme, specifically?). I don’t see that there is any published mitigation or fix for this (hence, it’s a 0-day). Unfortunately, UMate 16.04 appears to be affected, as well as many other Linux distros.

From the article:

Game Music Emu doesn’t sandbox the malicious audio files, and neither
does GStreamer, the GNOME desktop video player, video thumbnailer, and
media file indexing software used by Fedora and Ubuntu.

I just checked my own machine and found I have libgme0 installed. Attempting to remove it prompts me with the warning that other packages–including mate-desktop, mate-core, and VLC, among others–will be removed, as well (!). This… kind of makes no sense to me.

So, two questions I have:

(1) Is there truly no way to cleanly remove the vulnerable package without ruining the rest of the OS / other packages?

(2) If not, why not? That is, why should something like a video game music emulator library become fused with vital components of an OS, making it impossible to divorce the frivolous from the essential?


So VLC is a dependency of one of the meta-packages: ubuntu-mate-desktop
I suspect VLC depends on the affected lib, and therefore removing the lib would remove it, and then it cascades up.

This dependency problem has been fixed in Ubuntu MATE 16.10.

I’m also waiting on a fix for the vuln. In the mean time good browsing habits can mitigate the risk (don’t visit sites you don’t trust to not serve you poisoned music. Use uBlock Origin and HTTPS Everywhere etc… If you’re really hardcore and have enough RAM install a virtual machine and run your browser inside of that.)
I’m not sure if it’s possible for audio files to autoplay in FireFox.


Upstream is fixed so hopefully a fix will land in Ubuntu soon: https://security-tracker.debian.org/tracker/DSA-3735-1


Thanks for this, really. I appreciate the explanation and suggested mitigations. (And I’ve long run uBlock Origin, noscript and HTTPS Everywhere, fwiw, and generally stick to sites I’m familiar with.)

The fix seems not to have filtered down to Ubuntu, as yet. I assume I can watch the Ubuntu Security Notices site for updates?