When do critical security updates hit PureOS?

purirocks · September 28, 2023, 7:28pm

I’ve been watching for a PureOS update for the latest high severity Chromium vulnerability:

How long do those typically take to hit PureOS?

Do you consider it too risky to browse the internet with a vulnerability like this?

Why no Firefox in the package repo?

carlosgonz · September 28, 2023, 8:25pm

Why looking for Firefox in Gnu system when Debian is there?

FranklyFlawless · September 28, 2023, 8:35pm

I do not know.

No: I do not use Chromium-based browsers.

I suspect it has to do with Debian using Firefox ESR upstream, and I largely assume that was chosen for easier package maintenance, among other reasons.

pajuky · September 28, 2023, 11:06pm

EDIT: so I did it. I replied without reading the whole thing. This is not about the webp vulnerability… Oh well! Leaving my comment below anyway

https://www.debian.org/security/2023/dsa-5497-2

A buffer overflow in parsing WebP images may result in the execution of arbitrary code.

For the oldstable distribution (bullseye), this problem has been fixed in version 0.6.1-2.1+deb11u2.

(PureOS Byzantium is Bullseye)

$ dpkg -l libwebp6
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version           Architecture Description
+++-==============-=================-============-=================================================
ii  libwebp6:arm64 0.6.1-2.1+deb11u2 arm64        Lossy compression of digital photographic images.

At least on my device, libwebp6 is up to date.

Then:

$ apt-cache rdepends libwebp6 | grep chromium
  chromium-shell
  chromium
  chromium-shell
  chromium

$ apt-cache rdepends libwebp6 | grep firefox
$

ok so if you use the packaged Chromium (not Flatpak) you should be covered already, since it’s using the system-provided libwebp. Other notable appearances in that list (if removing grep) would be: gimp, telegram-purple, libwebkit2gtk (used by Gnome Browser aka Epiphany, again not from the Flatpak), libqtwebkit5 (used by other apps that are QT/KDE based), so a lot is covered already.

Firefox is not in that list however. Does Firefox ESR even support webp?

Ah! I found it, it was a dependency of a dependency:

$ apt-cache depends firefox-esr | grep libavcodec
 |Recommends: <libavcodec59>
 |Recommends: <libavcodec-extra59>
 |Recommends: libavcodec58
    libavcodec-extra58
 |Recommends: libavcodec-extra58
 |Recommends: <libavcodec57>
 |Recommends: <libavcodec-extra57>
 |Recommends: <libavcodec56>
 |Recommends: <libavcodec-extra56>
 |Recommends: <libavcodec55>
 |Recommends: <libavcodec-extra55>
 |Recommends: <libavcodec54>
 |Recommends: <libavcodec-extra54>
 |Recommends: <libavcodec53>
  Recommends: <libavcodec-extra53>

$ apt-cache rdepends libwebp6 | grep libavcodec
  libavcodec-extra58
  libavcodec58
  libavcodec-extra58
  libavcodec58

$ dpkg -l libavcodec58
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name               Version           Architecture Description
+++-==================-=================-============-======================================================================
ii  libavcodec58:arm64 7:4.3.6-0+deb11u1 arm64        FFmpeg library with de/encoders for audio/video codecs - runtime files

There we go. So, if I understand this correctly, we should be covered already.

Now for Flatpak software, that depends on each packagae (or each runtime)…

purirocks · September 29, 2023, 1:20am

Am I installing a Flatpak app when I install from the Software app?

If I use apt am I installing non-Flatpak?

pajuky · September 29, 2023, 1:54am

You need to check on the top right in the app details screen to see what source is selected.

apt + dpkg are the Debian package manager. This is different from Flatpak so your assumption was correct

purirocks · September 29, 2023, 12:51pm

PureOS still hasn’t updated Chromium to 117.0.5938.132 so I think I’m missing something. I’m new to Debian but it looks like the latest Chromium there is the same as on PureOS:

What is the right way to proceed in a situation like this?

Regarding Flatpak, some apps in Software (such as Chromium) don’t have anything in the top right, but maybe the Sandboxed flag further down the page is a good way to determine if it’s Flatpak? If so then Chromium there is not Flatpak.

purirocks · October 2, 2023, 6:26pm

The Chromium package is updated in PureOS now and I noticed that it was updated in Debian at about the same time:

Do the Software app releases just mirror Debian Bullseye releases?

Now that I’ve installed Firefox via apt should I be updating everything with apt instead of Software?

FranklyFlawless · October 2, 2023, 9:02pm

Probably.

Yes. Usually I use this command:

sudo apt update && sudo apt upgrade -y

j_s · October 2, 2023, 11:30pm

I’ve been doing something similar to that for almost 20 years, but the consensus around here seems to be that since PureOS is a rolling release dist-upgrade should (always?) be used.