Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <84dc77b-13c5-5aa-e066-31db6de18e2@martin.st>
Date: Thu, 14 Aug 2025 11:56:06 +0300 (EEST)
From: Martin Storsjö <martin@...tin.st>
To: Sam James <sam@...too.org>
cc: Jordan Glover <Golden_Miller83@...tonmail.ch>, 
    "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Question about (in)security of fdk-aac-free in
 linux distros

Hi,

On Thu, 14 Aug 2025, Sam James wrote:

> Jordan Glover <Golden_Miller83@...tonmail.ch> writes:
>
>> This post presents question about (in}security of fdk-aac-free package 
>> library packaged by several linux distros. I hope someone on the list 
>> finds it worth reading.
>
> I think we should include Martin in this conversation. (I've not snipped
> the email for his benefit.)

Thanks for looping me in! I have a couple of clarifications on some 
details here.

>> Since 2019 linux port of fdk-aac was gradually synced with aosp
>> source. Current version is at 2.0.3. The diff between 2.0.0 and 2.0.3
>> [5] is more than 1.5k commits,

FWIW, if just counting commits, those commit numbers will be _vastly_ 
inflated, due to how Android does its development - the majority of those 
commits are just merges between different branches.

$ git log --oneline v2.0.0..v2.0.3 | wc -l
     1694
$ git log --no-merges --oneline v2.0.0..v2.0.3 | wc -l
      369

So the true number of non-merge commits between those versions is closer 
to 369, not 1.5k. In addition, some of those fixes are the same fix, 
cherrypicked in different branches.

A rough deduplication gets the number down to 300.

$ git log --no-merges --oneline v2.0.0..v2.0.3 | sed s/^........// | sort | uniq | wc -l
      300

That's of course not saying that it's insignificant, but it's a bit less 
than initially counted.

Then unfortunately, some of those upstream AOSP commits also are batched 
updates from another Fraunhofer internal repo, where the commit just says 
"update to newer version or similar", see e.g. [1] and [2].

>> including many bugfixes found by fuzzing and sanitizers.

Indeed; a couple of years ago there was a lot of activity around fuzzing. 
I got a couple dozens of fuzzed samples from oss-fuzz as well, which I've 
tried to fix to the best of my capability (sometimes by corresponding with 
Fraunhofer on what the best fix is). In many cases, the same bugs have 
also been fixed in a better permanent way upstream in AOSP later, reducing 
my diff between my fork and AOSP.

>> The fact it wasn't simply rebased with -free patches on top make it 
>> arguably harder to compare -free and non-free versions and requires 
>> extra effort to do so. Alternative is to trust competences and goodwill 
>> of the contributor. The diff between 2.0.2 and 2.0.3 is slightly over 
>> 900 commits.

FWIW, regarding development flow, within the main fdk-aac repo, I maintain 
it by doing my own fixes on the regular branches, then semi-regularly 
merging AOSP main into my branch. Separately, I maintain a rebased branch 
with incremental patches on top of AOSP main [3], which recreates the same 
exact state of the master branch at the same time [4] - this branch 
currently weighs in at 25 commits.

>> This raises natural question - does any of fixes for fdk-aac closed
>> security vulnerability?

Unfortunately I don't have any further insight into this.

>> Among popular distros, fdk-aac (non-free) version is available in Arch 
>> Linux[7] and Debian [8] (non-free repo).

FWIW, personally I've always been surprised to see fdk-aac packaged in 
distros at all (-free form or not). The project license is hard to 
interpret and contains extra restrictions, which projects such as ffmpeg 
have interpreted as GPL/LGPL incompatible. But apparently some distros 
have interpreted it as free enough for them.


>>> This version does not regularly sync from upstream: 
>>> https://sourceforge.net/projects/opencore-amr/ Note that 
>>> https://github.com/mstorsjo/fdk-aac is a downstream of Fraunhofer's 
>>> code distributed on 
>>> https://android.googlesource.com/platform/external/aac

FWIW, this sentence feels a bit unclear. Both the sourceforge and github 
repos are downstreams of the AOSP repo. Both those repos contain exactly 
the same things; the sourceforge repo is the official front of the 
project, while the github one is where I keep more in-development branches 
and such.

>>> Jorge has reported a potential vulnerability to
>>> https://github.com/mstorsjo/fdk-aac/issues/167 and to Android's
>>> VRP. Android responded saying that they require a PoC and directed
>>> Jorge to
>>> https://bughunters.google.com/learn/invalid-reports/android-platform/5148417640366080/bugs-with->negligible-security-impact#unreachable-bugs

FWIW, regarding that vulnerability - as stated there, I'm not familiar 
with the internals of the code to the level of being able to deal with a 
potential bug - but if there's a sample reproducer actually triggering it 
(like produced by fuzzers) I would definitely produce a fix for it in one 
form or another.

>> As presented above, the fdk-aac-free library, available in linux
>> distros and used by popular software like browsers or media players is
>> de facto abandonware, missing vast amount of publicly available
>> fixes.

I don't disagree with this part.

// Martin

[1] https://github.com/mstorsjo/fdk-aac/commit/9ab67882eca7454dc001e158bc1e6e2219d6650b
[2] https://github.com/mstorsjo/fdk-aac/commit/6cfabd35363c3ef5e3b209b867169a500b3ccc3c
[3] https://github.com/mstorsjo/fdk-aac/commits/upstream-patched
[4] https://github.com/mstorsjo/fdk-aac/compare/upstream-patched..master

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.