"libavcodec may be vulnerable..." message in Firefox

Since last week, I'm receiving the following message for almost every page that I open in Firefox:

libavcodev may be vulnerable or is not supported, and should be updated for play video

Apparently, this is just a warning, 'cause I can play videos normally.

I tried

sudo apt-get install libavcodec

but this package does not exists.

I also did apt-get update and apt-get upgrade, but the message persists.

Finally, when I use apt-get autoremove, it does not return any package.

I googled for the message, but not found anything similar.

What should I do to eliminate this message? Should I stay alert for anything?

Some info:

Ubuntu 14.04
Firefox Developer Edition 51.0a2

James

Posted 2016-10-20T12:13:57.707

Reputation: 629

1If you want to find out where a program/component comes from, you can install apt-file. You have to periodically update it with apt-file update. Then, you use apt-file find program-name to find out which packages it's in. This is a great tool, but it will only search in the repositories you have installed. So, if what you need is in a PPA which you haven't installed, it won't find it. – Joe – 2016-10-25T03:01:13.663

Answers

There are a security issue described here:

Description

The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data.

the libav can be installed through:

sudo apt-get install libav-tools

The libav's version used by ubuntu 14.04 is 9.x and can be upgraded to 11.x as follow :

sudo add-apt-repository ppa:heyarje/libav-11
sudo apt-get update
sudo apt-get install libav-tools

Run:

sudo apt-get update && sudo apt-get upgrade
sudo apt-get dist-upgrade

to upgrade packages.

GAD3R

Posted 2016-10-20T12:13:57.707

Reputation: 2 677

5sudo apt-get upgrade (instead of dist-upgrade) should be enough. – mpy – 2016-10-25T19:13:38.790

3Is the dist-upgrade really necessary? – dwbartz – 2016-11-24T09:05:04.130

1Is adding a new apt repository blindly really safer than continuing to use an obsolete version of libav? – shadi – 2017-02-02T04:49:16.083

@shadi, yes. You can look up who is https://launchpad.net/~heyarje You can also figure out he is most likely not after scaming average ubuntu users. No guarantees ofc. Allowing a use of an obsolete version is a guarantee, that any clickbait can lead to an arbitrary code being executed on your machine. By now it's probably automatized. One wrong click and all your passwords are gone.

– Ufos – 2017-12-22T21:37:39.070

In case you can not upgrade your libav, you can force firefox to use the old version by changing this setting (-> about:config) :

media.libavcodec.allow-obsolete

The defaults setting is false , but you can change it to true .

ReneF.

Posted 2016-10-20T12:13:57.707

Reputation: 161

2Thanks. This is great work around (knowing FF is more insecure now) while I wait for the real fix from ubuntu / mint. Also I had to restart Firefox after setting this config entry to false. – Neil Wightman – 2016-11-22T06:49:03.190

GAD3R answer works if you are okay installing another repo, and ReneF's if you are okay with the security vulnerability.

If, like me, you don't care if some videos don't play, and you just want that damn message to disappear - without disabling libavcodec (because manually disabling means I'd have to manually re-enable once a fix comes out) - then you should go to about:config, and look for:

media.decoder-doctor.notifications-allowed

In the value field, you may see a comma-separated list of values; the one you want to remove is MediaUnsupportedLibavcodec. For example, my setting was:

MediaWMFNeeded,MediaWidevineNoWMFNoSilverlight,MediaUnsupportedLibavcodec

And I changed it to:

MediaWMFNeeded,MediaWidevineNoWMFNoSilverlight

Viola! No more annoying notification, and the videos which require the codec won't work. However, there's no security issue and but once the official repo pushes a fix, the videos will start working again without any further effort on your part.

cegfault

Posted 2016-10-20T12:13:57.707

Reputation: 171

libavcodec has been updated in Ubuntu 14.04.

An update to libav-tools, libavcodec-extra and libavcodec-extra-54 in Ubuntu 14.04 has fixed this problem. The libavcodec may be vulnerable or is not supported, and should be updated to play video notification no longer appears after updating the system with the Software Updater.

karel

Posted 2016-10-20T12:13:57.707

Reputation: 11 374

-1

People are making this harder than it needs to be - and in some cases may not work at all (my case), or be acceptable to continue on with an actual security risk (changing things around in firefox)

Simply go into software center, wait for it to load, type 'restricted' into the search feature, and install the restricted extras package for your particular distro.

Done. Even if you enabled restricted extras in updates, that apparently doesn't apply to video codecs for some reason. This solved my problem even after getting a 'codecs could not be installed due to broken retained packages' - or some such approximation notification.

Akiviri

Posted 2016-10-20T12:13:57.707

Reputation: 1