5

The fix to the error in Firefox showing libavcodec may be vulnerable is contained in the following link, however the vulnerability referred to in the notification is not exactly described.

enter image description here

The libavcodec notification that Firefox displays does not make sense in situations where the reported vulnerability may not even exist because libavcodec is not installed. If the libavcodec vulnerability does not exist, the notification may be advising to install a supported version of libavcodec, but even so it does not explain why it should be installed.

What vulnerability is the Firefox notification reporting about? How is installing a libavcodec package that wasn't installed before from a PPA equivalent to fixing a vulnerability in libavcodec, and not equivalent to putting the cart before the horse?

Community
  • 1
sassy.geek
  • 132

3 Answers3

3

To be clear, the message is actually:

libavcodec may be vulnerable or is not supported

Depending on the version of libavcodec you have, it may well be unpatched against some vulnerability, or it could just be that it is old enough that it's just incompatible with Firefox (and maybe it's vulnerable too...)

Firefox is doing some version check of the libavcodec you have installed, looks for certain versions and shows the message if you have too old a version. Specifically, they recently:

Blocked versions of libavcodec older than 54.35.1

(I guess in future, as the message states, they may well blacklist recent versions if they're missing security patches. Anyway, here, they've just gone for versions of a certain age.)

To get back to answering your question, if you're installing a more recent version from a PPA (which is libavcodec56 from the linked answer) then Firefox will see that newer version installed and use that version for decoding media, and not the older libavcodec54. (Note that this package's files have the version number in the filename, so you could well have both newer and older versions of it installed side-by-side.)[1]

Installing a newer libavcodec therefore won't magically fix any vulnerability in your existing installed version — of course, that will persist until you remove it — but it means that Firefox can use a version of the library that isn't vulnerable (which is what the Firefox developers care about).

[1]: Additionally, looking at my 16.04 install, libavcodec-ffmpeg.so.56 is actually a symbolic link to a particular file, so that's another way in which you could have multiple versions installed side-by-side, even of the same major version of libavcodec, but only one specifically being used.

Steven Maude
  • 133
2

libavcodec has been updated in Ubuntu 14.04.

An update to libav-tools, libavcodec-extra and libavcodec-extra-54 in Ubuntu 14.04 has fixed this problem. The libavcodec may be vulnerable or is not supported, and should be updated to play video notification no longer appears after updating the system with the Software Updater.

karel
  • 122,292
  • 133
  • 301
  • 332
1

Because of this problem, I upgraded to Lubuntu 16.04. Even if there appears to be an improvement, at least on my system it takes only two or three video plays in (say) Youtube for the problem to reappear.

If anybody has an actual permanent fix, I'd be interested to know, but having followed instructions given on fora like this, and got nothing permanent, I would not be surprised if there were no such solution.

Let me be clear - this is not a(n) Ubuntu/Kubuntu/Xubuntu/Lubuntu issue: it's clearly a Mozilla-initiated problem, since they made some arbitrary decision to block certain codecs. Yet - even with libavcodec-extra-56 installed - there is no fix on my machine for this problem.

Q- what's the difference between an engineer and a developer?

A- an engineer knows when to stop!

ETA: Having upgraded to L16.04, I went to Synaptic and checked ffmpeg status, and the search showed that libav-tools needed an upgrade separately. Did that and - so far - the playback problem has disappeared. Seems that the best fix is to just upgrade to 16.04 and then make upgrades in Synaptic, install those and then carry on.

I hope this is useful to at least one somebody else.

ETAM: Well, it really does seem that there is some god or other peeking in here from that Mozilla-Youtube cartel and reading my edits - because immediately after posting that edit there ... yep,problem came back.

Seems that Mozilla hates anything Ubuntu, so I may be forced to transfer to another distro that Mozilla has taken an arbitrary liking to.

David Andrews
  • 11