Firefox 50 blocks Ubuntu 12.04 and 14.04 LTS's version of libavcodec

Bug #1643467 reported by Ori Avtalion on 2016-11-21
668
This bug affects 75 people
Affects Status Importance Assigned to Milestone
libav
Unknown
Unknown
libav (Ubuntu)
Precise
Medium
Unassigned
Trusty
Medium
Unassigned

Bug Description

Whenever it tries to play a video, Firefox 50 displays this message at the top of every page:
"libavcodec may be vulnerable or is not supported, and should be updated to play video"

https://dxr.mozilla.org/mozilla-central/source/browser/locales/en-US/chrome/browser/browser.properties?q=%22libavcodec+may+be+vulnerable%22&redirect_type=single#742

Firefox refuses any libavcodec version prior to 54.35.1 (unless media.libavcodec.allow-obsolete==true).

https://dxr.mozilla.org/mozilla-central/source/dom/media/platforms/ffmpeg/FFmpegLibWrapper.cpp#60

Users should not be subjected to this warning, as it is vague (does not instruct them how to fix it).
Ubuntu 14.04 LTS should ship with an updated version of libavcodec.

DistroRelease: Ubuntu 14.04
Package: firefox 50.0+build2-0ubuntu0.14.04.2

Ori Avtalion (salty-horse) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in firefox (Ubuntu):
status: New → Confirmed
Changed in libav (Ubuntu):
status: New → Confirmed
description: updated
Mozaic (mozaic) wrote :

For information in Firefox 50 release notes:
https://www.mozilla.org/en-US/firefox/50.0/releasenotes/
"Blocked versions of libavcodec older than 54.35.1"

flan_suse (flansuse) wrote :

I concur. Ubuntu 14.04, which is an LTS release, should update libavcodec to version 54.35.1 or higher.

Robie Basak (racb) on 2016-11-24
tags: added: regression-update
vsespb (vsespb) wrote :

Affects Ubuntu 12.04 as well

tags: added: precise
R.Zimmermann (rainer42) wrote :

For me, Firefox (50.0 on Ubuntu 14.04) not only shows the warning, but also seems to prevent embedded .gif/.gifv animations from playing, at least on Reddit and Twitter.
Example: Almost every video on https://www.reddit.com/r/gifs/
After clicking the Play button, the video will "load forever" or show a still image.

It worked in previous FF versions, or works when setting media.libavcodec.allow-obsolete=true (which I don't want to do permanently).

It also works *sometimes* if the URL is pointing directly to the GIF file.

Would appreciate if the fix for 14.04 could get a higher priority.

Allowing "obsolete" codecs to run is an absolutely terrible idea. For those of you on 14.04, I'd recommend updating libav-tools by PPA following this answer: http://askubuntu.com/a/851192 That's your best bet so far.

Woody (wo0dy) wrote :

How is this not fixed yet? It appears to affect all 14.04 users of firefox. Thats a lot of people.

Norbert (nrbrtx) on 2016-12-02
summary: - Firefox 50 blocks Ubuntu 14.04 LTS's version of libavcodec
+ Firefox 50 blocks Ubuntu 12.04 and 14.04 LTS's version of libavcodec
Norbert (nrbrtx) wrote :

Ubuntu 12.04 LTS is affected too (Firefox 50.0.2).
IMHO it is time to include ESR versions of Firefox to Ubuntu LTS instead of bleeding-edge versions.
For example current Firefox ESR 45.5.1 does not show this error.

Kenneth Wrede (kennethwrede) wrote :

If libavcodec must be blocked if it is vulnerable. Then the latest version seems to be a better choice then ESR. But it must be updated in Ubuntus repos as well. I couldnt find anything related in proposed or backports, just checked! (dec 4)

afrugiada (afrugiada) on 2016-12-04
Changed in firefox (Ubuntu):
assignee: nobody → afrugiada (afrugiada)
David Henningsson (diwic) wrote :

Marking as security; either Firefox is wrong or libavcodec is vulnerable and probably we need security people to look at it to determine which one it is...

information type: Public → Public Security
Changed in libav (Ubuntu):
status: Confirmed → Triaged
Norbert (nrbrtx) wrote :

I found ( http://askubuntu.com/a/856322/66509 ) PPA with newer libav (version 11.2-1ppa1) for Precise:

sudo add-apt-repository ppa:itachi-san/ffmpeg
sudo apt-get update
sudo apt-get install libav-tools libavcodec56

Is it possible to make SRU and include it to Precise main repository?

no longer affects: firefox
Changed in libav (Ubuntu Precise):
status: New → Confirmed
Changed in libav (Ubuntu Trusty):
status: New → Confirmed
Changed in libav (Ubuntu):
status: Triaged → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 6:9.20-0ubuntu0.14.04.1

---------------
libav (6:9.20-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Updated to 9.20 to fix various crashes with
    invalid-free, corrupted double-linked list or out-of-bounds read
    (LP: #1643467)
    - No CVE number

 -- Marc Deslauriers <email address hidden> Wed, 07 Dec 2016 15:36:50 -0500

Changed in libav (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in firefox (Ubuntu Precise):
status: New → Confirmed
Changed in firefox (Ubuntu Trusty):
status: New → Confirmed
Changed in firefox (Ubuntu Trusty):
status: Confirmed → Fix Released
ghomem (gustavo) wrote :

Fix seems be fine on 14.04. After a couple of hours of use I'm experiencing neither warnings nor problems playing videos.

James Cameron (quozl) wrote :

I'm having problems playing videos after this fix. (LP: #1648721)

Marc Chenier (mchen) wrote :

This bug affects me on Precise.

John Rodriguez (julian52) wrote :

The bug also affects me on 12.04. Often get the "libavcodec may be vulnerable or is not supported, and should be updated to play video" error.

Will I have to upgrade to 14.04?

Will the update for 12.04 eventually be available on the standard update package?

Norbert (nrbrtx) wrote :

@julian52

As I already mentioned here (comment 13) and on AskUbuntu ( http://askubuntu.com/a/856322/66509 ) - there is a PPA with newer libav (version 11.2-1ppa1) for Precise:

sudo add-apt-repository ppa:itachi-san/ffmpeg
sudo apt-get update
sudo apt-get install libav-tools libavcodec56

But this solution is temporary.

We need official stable solution from Canonical for Ubuntu 12.04 LTS Precise Pangolin.

Changed in firefox (Ubuntu Precise):
assignee: nobody → louis romano (troubleshooter1961)
status: Confirmed → Fix Released
William F Hammond (wfhammond) wrote :

Re 12.04 LTS: It doesn't make sense for an LTS user to add a baroque apt repository. Please, could a stable fix be pushed out with regular updates. (It's probably at least 8 months before 12.04 LTS is replaced by what I understand to be its LTS successor, 17.04.1+)

Seth Arnold (seth-arnold) wrote :

William, as far as I know the next LTS is still intended to be 18.04.

Our current LTS releases are 12.04, 14.04, and 16.04.

If you wish to upgrade to 14.04 note that Apache2's authentication and authorization changed drastically. If you wish to upgrade to 16.04 note that php is now version 7, and many applications aren't yet updated for php7. Be sure to check the release notes for details of larger changes: https://wiki.ubuntu.com/Releases

Thanks

Thanks for all info on this matter......problem seems to be fixed. not getting warning.........

Louis V.Romano Jr.

________________________________
From: <email address hidden> <email address hidden> on behalf of Seth Arnold <email address hidden>
Sent: Wednesday, December 21, 2016 6:00 PM
To: <email address hidden>
Subject: [Bug 1643467] Re: Firefox 50 blocks Ubuntu 12.04 and 14.04 LTS's version of libavcodec

William, as far as I know the next LTS is still intended to be 18.04.

Our current LTS releases are 12.04, 14.04, and 16.04.

If you wish to upgrade to 14.04 note that Apache2's authentication and
authorization changed drastically. If you wish to upgrade to 16.04 note
that php is now version 7, and many applications aren't yet updated for
php7. Be sure to check the release notes for details of larger changes:
https://wiki.ubuntu.com/Releases
Releases - Ubuntu Wiki<https://wiki.ubuntu.com/Releases>
wiki.ubuntu.com
The content of these old releases can be accessed at the old Ubuntu releases directory. Management of releases. Support length. Regular releases are ...

Thanks

--
You received this bug notification because you are a bug assignee.
https://bugs.launchpad.net/bugs/1643467
Bug #1643467 "Firefox 50 blocks Ubuntu 14.04 LTS's version ...<https://bugs.launchpad.net/bugs/1643467>
bugs.launchpad.net
Whenever it tries to play a video, Firefox 50 displays this message at the top of every page: "libavcodec may be vulnerable or is not supported, and should be updated ...

Title:
  Firefox 50 blocks Ubuntu 12.04 and 14.04 LTS's version of libavcodec

Status in libav:
  Unknown
Status in firefox package in Ubuntu:
  Confirmed
Status in libav package in Ubuntu:
  Invalid
Status in firefox source package in Precise:
  Fix Released
Status in libav source package in Precise:
  Confirmed
Status in firefox source package in Trusty:
  Fix Released
Status in libav source package in Trusty:
  Fix Released

Bug description:
  Whenever it tries to play a video, Firefox 50 displays this message at the top of every page:
  "libavcodec may be vulnerable or is not supported, and should be updated to play video"

  https://dxr.mozilla.org/mozilla-central/source/browser/locales/en-
  US/chrome/browser/browser.properties?q=%22libavcodec+may+be+vulnerable%22&redirect_type=single#742

  Firefox refuses any libavcodec version prior to 54.35.1 (unless
  media.libavcodec.allow-obsolete==true).

  https://dxr.mozilla.org/mozilla-
  central/source/dom/media/platforms/ffmpeg/FFmpegLibWrapper.cpp#60

  Users should not be subjected to this warning, as it is vague (does not instruct them how to fix it).
  Ubuntu 14.04 LTS should ship with an updated version of libavcodec.

  DistroRelease: Ubuntu 14.04
  Package: firefox 50.0+build2-0ubuntu0.14.04.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/libav/+bug/1643467/+subscriptions

Norbert (nrbrtx) wrote :

Ubuntu 12.04.5 LTS with all updates.
I removed PPA ppa:itachi-san/ffmpeg with ppa-purge.
In Firefox I have media.libavcodec.allow-obsolete = false.
Tried to find patch in proposed updates with no luck.

The bug is not fixed!
Please fix it!
Precise is an LTS version, is not it?

@louis romano (troubleshooter1961)
Fixing bugs by commenting is not real bug fixing!
"Talk is cheap. Show me the code." as Linus Torvalds said.

Changed in firefox (Ubuntu Precise):
assignee: louis romano (troubleshooter1961) → nobody
Marc Chenier (mchen) wrote :

I use Ubuntu 12.04.5 LTS fully updated as my usual workstation. I still have the problem. I would really like to have this bug fixed in an official Ubuntu way, something I can get through regular updates.

Thanks

John Rodriguez (julian52) wrote :

I use Ubuntu 12.04. Still have the problem. I have disabled Flash and depend on HTML5.
Can't watch video on mainstream news site. Youtube does work, however.

Please include fix on next update packet.

If I upgrade to 14.04, will problem be fixed?

paz (mozit) wrote :

still a problem with Ubuntu Precise... Didn't use the ppa. just waiting for a fix.

Shofi Islam (shofi-islam) wrote :

Confirm message still present in 12.04

Norbert (nrbrtx) wrote :

Ubuntu 12.04.5 LTS with all updates.
The bug is not fixed!
Please fix it!

You broke normal secure internet surfing. Please provide patch for libav.
Google Chrome is unsupported on Precise, Chromium is old, Opera is proprietary.

Precise is an LTS version, is not it?

John Rodriguez (julian52) wrote :

Have not updated Ubuntu 12.04 since 12-24-16. Has the bug been fixed? If I upgrade to 14.04 will I encounter the same problem?

Norbert (nrbrtx) wrote :

Bug is not fixed in Ubuntu 12.04.5 LTS Precise Pangolin.
Can't use twitter.com, facebook.com, vk.com and other sites.

Still need official fix from Canonical and/or Mozilla.

Marc Deslauriers (mdeslaur) wrote :

For this to be resolved in Ubuntu 12.04 LTS, an appropriate fix needs to be written for libav 0.8. Updating to a newer libav isn't an option as the API has changed and that would break compatibility with all the software using libav in the archive. Once a fix has been written, Mozilla would then need to unblock libav in Firefox.

This is unlikely to happen before 12.04.5 LTS reaches end of life in a few weeks.

I recommend updating to a newer Ubuntu release, such as 14.04 LTS, or preferably 16.04 LTS now if this is an important issue rather than waiting until the end of life of 12.04 LTS in a few weeks.

Ben (keinspamhier) wrote :

Judging from the posts in this bug report, it took 2 weeks and three days to solve this problem for the end-users (for the other releases. Support for precise ends in 16 weeks...

I am using ubuntu 12.04. After the update of firefox I am getting the error message -- ""libavcodec may be vulnerable or is not supported, and should be updated to play video"" .

Any solutions ?

Changed in firefox (Ubuntu):
status: Confirmed → Fix Released
roger (blueshade44) wrote :

I had this problem too. I'm running Lubuntu 12.04. I use plain 12.04 and not LTS because lubuntu 12.04 LTS requires PAE and won't work on my Pentium M Itronix go book 3. I have to keep running Lubuntu 12.04. Anyway the answer for me was to go to the Lubuntu Software center and install Gnome-Media-Player . While installing looking at the "programs to install" lo and behold at the top of the list...Libavcodec53 !!! PROBLEM SOLVED.
     roger at blueshade44

roger (blueshade44) wrote :

Oh yeah ...my Lubuntu 12.04 came installed with "Gnome mplayer" but when I installed Gnome-Media-Player my problem "player did not initialize properly" went away and I could pay my wave files on Reverb Nation. I didn't have problems with video or flash or You Tube.
    roger at blueshade44

no longer affects: firefox (Ubuntu)
no longer affects: firefox (Ubuntu Precise)
no longer affects: firefox (Ubuntu Trusty)
no longer affects: libav (Ubuntu)
Changed in libav (Ubuntu Trusty):
importance: Undecided → Medium
Changed in libav (Ubuntu Precise):
importance: Undecided → Medium
Hans Brinker (fcnc) wrote :

Thank you very much for your work.

Regards Ferry

Amsterdam

The Netherlands

>
> Op 8 mei 2017 om 0:49 schreef Mathew Hodson <email address hidden>:
>
>
> ** No longer affects: firefox (Ubuntu)
>
> ** No longer affects: firefox (Ubuntu Precise)
>
> ** No longer affects: firefox (Ubuntu Trusty)
>
> ** No longer affects: libav (Ubuntu)
>
> ** Changed in: libav (Ubuntu Trusty)
> Importance: Undecided => Medium
>
> ** Changed in: libav (Ubuntu Precise)
> Importance: Undecided => Medium
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1646554).
> https://bugs.launchpad.net/bugs/1643467
>
> Title:
> Firefox 50 blocks Ubuntu 12.04 and 14.04 LTS's version of libavcodec
>
> Status in libav:
> Unknown
> Status in libav source package in Precise:
> Confirmed
> Status in libav source package in Trusty:
> Fix Released
>
> Bug description:
> Whenever it tries to play a video, Firefox 50 displays this message at the
> top of every page:
> "libavcodec may be vulnerable or is not supported, and should be updated
> to play video"
>
> https://dxr.mozilla.org/mozilla-central/source/browser/locales/en-
>
> US/chrome/browser/browser.properties?q=%22libavcodec+may+be+vulnerable%22&redirect_type=single#742
>
> Firefox refuses any libavcodec version prior to 54.35.1 (unless
> media.libavcodec.allow-obsolete==true).
>
> https://dxr.mozilla.org/mozilla-
> central/source/dom/media/platforms/ffmpeg/FFmpegLibWrapper.cpp#60
>
> Users should not be subjected to this warning, as it is vague (does not
> instruct them how to fix it).
> Ubuntu 14.04 LTS should ship with an updated version of libavcodec.
>
> DistroRelease: Ubuntu 14.04
> Package: firefox 50.0+build2-0ubuntu0.14.04.2
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/libav/+bug/1643467/+subscriptions
>

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.