Just read Ars Technica's coverage of a zero day exploit in Linux of something associated with GStreamer (I guess it's a software library: libgme, specifically?). I don't see that there is any published mitigation or fix for this (hence, it's a 0-day). Unfortunately, UMate 16.04 appears to be affected, as well as many other Linux distros.
From the article:
Game Music Emu doesn't sandbox the malicious audio files, and neither
does GStreamer, the GNOME desktop video player, video thumbnailer, and
media file indexing software used by Fedora and Ubuntu.
I just checked my own machine and found I have libgme0 installed. Attempting to remove it prompts me with the warning that other packages--including mate-desktop, mate-core, and VLC, among others--will be removed, as well (!). This... kind of makes no sense to me.
So, two questions I have:
(1) Is there truly no way to cleanly remove the vulnerable package without ruining the rest of the OS / other packages?
(2) If not, why not? That is, why should something like a video game music emulator library become fused with vital components of an OS, making it impossible to divorce the frivolous from the essential?