Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87qzxeljdu.fsf@gentoo.org>
Date: Thu, 14 Aug 2025 03:36:13 +0100
From: Sam James <sam@...too.org>
To: Jordan Glover <Golden_Miller83@...tonmail.ch>, Martin Storsjö
 <martin@...tin.st>
Cc: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Question about (in)security of fdk-aac-free in
 linux distros

Jordan Glover <Golden_Miller83@...tonmail.ch> writes:

> This post presents question about (in}security of fdk-aac-free package library packaged by several linux distros. I hope someone on the list finds it worth reading.

I think we should include Martin in this conversation. (I've not snipped
the email for his benefit.)

>
> Background:
>
> Fraunhofer FDK AAC (fdk-aac) is a library for encoding and decoding
> digital audio in the Advanced Audio Coding (AAC) format. The library
> is develped for Android and public sources are hosted at [1]. Linux
> port, extracted from android sources is hosted at [2]. AAC format is
> covered by patents and fdk-aac license is usually considered as
> non-free [3].
>
> Between 2018-2019 there was initiative to create fdk-aac-free library
> by using canonical fdk-aac source and strip parts which are still
> covered by patents. After few iterations it was completed by mid 2019
> [4]. fdk-aac-free was based on version 2.0.0 of fdk-aac.
>
> State of 2025:
>
> Since 2019 linux port of fdk-aac was gradually synced with aosp
> source. Current version is at 2.0.3. The diff between 2.0.0 and 2.0.3
> [5] is more than 1.5k commits, including many bugfixes found by
> fuzzing and sanitizers. Meanwhile the fdk-aac-free project remained
> almost silent. The only activity was merging massive, over 600 commits
> PR [6] from third-party contributor which supposedly synchronizes
> changes with version 2.0.2 of fdk-aac. There was no any corresponding
> release/tag of fdk-aac-free. The fact it wasn't simply rebased with
> -free patches on top make it arguably harder to compare -free and
> non-free versions and requires extra effort to do so. Alternative is
> to trust competences and goodwill of the contributor. The diff between
> 2.0.2 and 2.0.3 is slightly over 900 commits.
>
> This raises natural question - does any of fixes for fdk-aac closed
> security vulnerability? Unfortunately, the CVE are buried under AOSP
> security bulletins and I found very little details about those, below
> are few, vastly incomplete examples that sound related to AAC:
>
> https://nvd.nist.gov/vuln/detail/CVE-2019-9283
> https://nvd.nist.gov/vuln/detail/CVE-2020-0279
> https://nvd.nist.gov/vuln/detail/cve-2023-21282 (this is best documented but it affects the part of code that -free version strips away)
>
> Considering the magnitude of fixes it's possible that not every vulnerability may get CVE assigned.
>
> I know there are many projects with inactive upstream in linux
> ecosystem. What makes this one pretty unique is the fact there's
> constant flow of public fixes available elsewhere that are never
> applied which may create opportunity for potential attacker.
>
> On linux, fdk-aac(-free) library is used by several projects including
> ffmpeg, gstreamer, pipewire, obs-studio, gnome-remote-desktop,
> etc. Some of those may use it to decode remote untrusted content - for
> example it's default AAC codec for webkit based browsers. It even
> shows warning if some alternate codec is used:
>
>> ** (WebKitWebProcess): WARNING**: The GStreamer FDK AAC plugin is missing, AAC playback is unlikely to work.
>
> Distro availability:
>
> Among popular distros, fdk-aac (non-free) version is available in Arch Linux[7] and Debian [8] (non-free repo).
>
> fdk-aac-free is available in Fedoraproject [9] (since 2019, no updates since then), Opensuse [10] (since 2021, using unchanged source from 2019).
>
> Ubuntu ships package named libfdk-aac2 [11] (in universe repo) which supposedly uses fdk-aac-free synced to 2.0.2 as source [12].
> In 2022 ubuntu packager proposed adding fdk-aac-free into ubuntu main repository [13]. The security review that followed in 2024 was rather strongly negative [14]:
>
>>The upstream chain for fdk-aac-free is precarious.
>>
>>The Debian package fdk-aac-free watches
>> https://gitlab.freedesktop.org/wtaymans/fdk-aac-stripped/ This
>> version specifically removes the HE >(High Efficiency) and HEv2
>> profiles which have patent concerns (see README.fedora).
>>
>>This version does not regularly sync from upstream:
>> https://sourceforge.net/projects/opencore-amr/ Note that
>> https://github.com/mstorsjo/fdk->aac is a downstream of Fraunhofer's
>> code distributed on
>> https://android.googlesource.com/platform/external/aac
>>
>>Jorge has reported a potential vulnerability to
>> https://github.com/mstorsjo/fdk-aac/issues/167 and to Android's
>> VRP. Android responded saying >that they require a PoC and directed
>> Jorge to
>> https://bughunters.google.com/learn/invalid-reports/android-platform/5148417640366080/bugs-with->negligible-security-impact#unreachable-bugs
>>
>>fdk-aac-free is not being maintained by syncing with upstream which may contain security patches. Reporting issues about fdk-aac has so far >been fruitless.
>
> Short time later it was rejected as abandonware [15]:
>
>>We have not been able to contact anyone 'upstream' who cares about
>> this code. From our perspective, this is basically abandonware. It
>> doesn't >feel like this meets our quality expectations for inclusion
>> in Ubuntu Main.
>>
>>If we find an upstream maintainer willing to discuss and answer
>> questions, we can revisit this in the future. But maintaining this
>> entirely on our own is too much risk for too little benefit.
>>
>>Security team NACK for promoting the fdk-aac-free package to main.
>
> Debian rejected fdk-aac-free package at very similar time [16]. It's not clear if there was separate security review process or it was coordinated with ubuntu.
>
> Freedesktop-sdk (flatpak runtime) removed this library few months ago [17], citing similar reasons as ubuntu:
>
>>This fork is unmaintained since 2019 and misses many hundreds of
>>upstream fixes. Historically it was shipped in runtime to enable
>>patent-free aac codec functionality but after introducing codecs-extra
>>extension and dropping openh264, codec patents are no longer a
>>problem. Any aac support should be provided in codecs-extra
>>extension.
>
> Conclusion:
>
> As presented above, the fdk-aac-free library, available in linux
> distros and used by popular software like browsers or media players is
> de facto abandonware, missing vast amount of publicly available
> fixes. Moreover AOSP - which is the ultimate and only place to report
> security issues - according to its policy[18] may require PoC that
> works on android:
>
>> Be especially careful if you're building a Proof of Concept (PoC)
>> that links to a library and calls functions directly, if those
>> functions > would not be callable directly when using normal Android
>> APIs.
>
> Potential issues that could affect linux library but not android may be rejected as invalid.
>
> Considering above I wanted to ask, especially Fedora and Opensuse
> security teams if they did made security review of fdk-aac-free
> library before or after it was added in the repos and whether they
> made different conclusions about it than Ubuntu/Debian. Also I ask if
> they provide security support for this package.
>
> Thank You
>
> Jordan
>
> [1] https://android.googlesource.com/platform/external/aac/
> [2] https://github.com/mstorsjo/fdk-aac
> [3] https://fedoraproject.org/wiki/Licensing/FDK-AAC
> [4] https://cgit.freedesktop.org/~wtay/fdk-aac/log/?h=stripped4
> [5] https://github.com/mstorsjo/fdk-aac/compare/v2.0.0...v2.0.3
> [6] https://gitlab.freedesktop.org/wtaymans/fdk-aac-stripped/-/merge_requests/1
> [7] https://archlinux.org/packages/extra/x86_64/libfdk-aac/
> [8] https://tracker.debian.org/pkg/fdk-aac
> [9] https://src.fedoraproject.org/rpms/fdk-aac-free/tree/rawhide
> [10] https://build.opensuse.org/package/show/multimedia:libs/fdk-aac-free
> [11] https://packages.ubuntu.com/questing/libfdk-aac2
> [12] https://git.launchpad.net/ubuntu/+source/fdk-aac-free/
> [13] https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614
> [14] https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614/comments/13
> [15] https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614/comments/17
> [16] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981285#79
> [17] https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/commit/eb5f79dd1430d6f47394766509bfd0335345bb45
> [18] https://bughunters.google.com/learn/invalid-reports/android-platform/5148417640366080/bugs-with-negligible-security-impact#unreachable-bugs

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.