When do critical security updates hit PureOS?

purirocks · September 28, 2023, 7:28pm

I’ve been watching for a PureOS update for the latest high severity Chromium vulnerability:

How long do those typically take to hit PureOS?

Do you consider it too risky to browse the internet with a vulnerability like this?

Why no Firefox in the package repo?

carlosgonz · September 28, 2023, 8:25pm

Why looking for Firefox in Gnu system when Debian is there?

FranklyFlawless · September 28, 2023, 8:35pm

I do not know.

No: I do not use Chromium-based browsers.

I suspect it has to do with Debian using Firefox ESR upstream, and I largely assume that was chosen for easier package maintenance, among other reasons.

pajuky · September 28, 2023, 11:06pm

EDIT: so I did it. I replied without reading the whole thing. This is not about the webp vulnerability… Oh well! Leaving my comment below anyway

https://www.debian.org/security/2023/dsa-5497-2

A buffer overflow in parsing WebP images may result in the execution of arbitrary code.

For the oldstable distribution (bullseye), this problem has been fixed in version 0.6.1-2.1+deb11u2.

(PureOS Byzantium is Bullseye)

$ dpkg -l libwebp6
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version           Architecture Description
+++-==============-=================-============-=================================================
ii  libwebp6:arm64 0.6.1-2.1+deb11u2 arm64        Lossy compression of digital photographic images.

At least on my device, libwebp6 is up to date.

Then:

$ apt-cache rdepends libwebp6 | grep chromium
  chromium-shell
  chromium
  chromium-shell
  chromium

$ apt-cache rdepends libwebp6 | grep firefox
$

ok so if you use the packaged Chromium (not Flatpak) you should be covered already, since it’s using the system-provided libwebp. Other notable appearances in that list (if removing grep) would be: gimp, telegram-purple, libwebkit2gtk (used by Gnome Browser aka Epiphany, again not from the Flatpak), libqtwebkit5 (used by other apps that are QT/KDE based), so a lot is covered already.

Firefox is not in that list however. Does Firefox ESR even support webp?

Ah! I found it, it was a dependency of a dependency:

$ apt-cache depends firefox-esr | grep libavcodec
 |Recommends: <libavcodec59>
 |Recommends: <libavcodec-extra59>
 |Recommends: libavcodec58
    libavcodec-extra58
 |Recommends: libavcodec-extra58
 |Recommends: <libavcodec57>
 |Recommends: <libavcodec-extra57>
 |Recommends: <libavcodec56>
 |Recommends: <libavcodec-extra56>
 |Recommends: <libavcodec55>
 |Recommends: <libavcodec-extra55>
 |Recommends: <libavcodec54>
 |Recommends: <libavcodec-extra54>
 |Recommends: <libavcodec53>
  Recommends: <libavcodec-extra53>

$ apt-cache rdepends libwebp6 | grep libavcodec
  libavcodec-extra58
  libavcodec58
  libavcodec-extra58
  libavcodec58

$ dpkg -l libavcodec58
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name               Version           Architecture Description
+++-==================-=================-============-======================================================================
ii  libavcodec58:arm64 7:4.3.6-0+deb11u1 arm64        FFmpeg library with de/encoders for audio/video codecs - runtime files

There we go. So, if I understand this correctly, we should be covered already.

Now for Flatpak software, that depends on each packagae (or each runtime)…

purirocks · September 29, 2023, 1:20am

Am I installing a Flatpak app when I install from the Software app?

If I use apt am I installing non-Flatpak?

pajuky · September 29, 2023, 1:54am

You need to check on the top right in the app details screen to see what source is selected.

apt + dpkg are the Debian package manager. This is different from Flatpak so your assumption was correct

purirocks · September 29, 2023, 12:51pm

PureOS still hasn’t updated Chromium to 117.0.5938.132 so I think I’m missing something. I’m new to Debian but it looks like the latest Chromium there is the same as on PureOS:

What is the right way to proceed in a situation like this?

Regarding Flatpak, some apps in Software (such as Chromium) don’t have anything in the top right, but maybe the Sandboxed flag further down the page is a good way to determine if it’s Flatpak? If so then Chromium there is not Flatpak.

purirocks · October 2, 2023, 6:26pm

The Chromium package is updated in PureOS now and I noticed that it was updated in Debian at about the same time:

Do the Software app releases just mirror Debian Bullseye releases?

Now that I’ve installed Firefox via apt should I be updating everything with apt instead of Software?

FranklyFlawless · October 2, 2023, 9:02pm

Probably.

Yes. Usually I use this command:

sudo apt update && sudo apt upgrade -y

j_s · October 2, 2023, 11:30pm

I’ve been doing something similar to that for almost 20 years, but the consensus around here seems to be that since PureOS is a rolling release dist-upgrade should (always?) be used.

Ribby · January 1, 2024, 10:57pm

There is a recent lawsuit against Google’s Chrome browser. The allegation claims that Chrome still spies on its users despite Incognito mode. Does anyone believe that it is Google services doing the misdeed? If so, then wouldn’t Chromium be in the same boat as Chrome? Wouldn’t flatpak/flathub be of any help against this misbehavior? This is pretty bad stuff.

I guess a alternative browser will be neccessary. What are your (flatpak/flathub/appimage) recommendations for language translation (particularly with web pages) and mapping services?

The LibreTranslate service shows promise, even though it required language translation for file upload/download than on the spot. The Dialect program seems to support this service.

irvinewade · January 2, 2024, 1:20am

Depends how much that question encompasses but … OpenStreetMap ?

FranklyFlawless · January 2, 2024, 2:25am

I do not know or care: I use Firefox ESR and Tor Browser.

LibRedirect lists SimplyTranslate, LibreTranslate, and OpenStreetMap. I have infrequently used all of them before, so I do not have a well informed opinion of them.

Ribby · January 2, 2024, 11:38pm

I found two links concerning Firefox ESR browser extensions.

You just copy and right click to select the extension option label for translation. Of course, the Dialect program can do the same with a translation button. Still, I say that the LibreTranslate web page can almost replace Google Translate web page. It’s too bad that its installation for offline use requires a Docker installer. I don’t know what’s Docker, but I don’t think I would need it compared to Flatpak/Flathub. Plus, the upload/download function is not 100% perfect when it comes to dependency dependent web pages. So it’s back to the drawing board with a browser extension or Dialect.

This post usually irrevelant to the topic at hand, but given the fact that Chromium is being affected in the light of Google’s alleged surveillance in Chrome’s incognito mode, I am getting quite doubtful of the service connected to Chromium.

JR-Fi · January 3, 2024, 12:19am

If I’m not mistaken, Moz is going to give a presentation on that FF offline translation at FOSDEM