Re: Question about (in)security of fdk-aac-free in linux distros

[Demi Marie Obenour <demiobenour () gmail com>]

On 8/14/25 04:56, Martin Storsjö wrote:
> Hi,
>
> On Thu, 14 Aug 2025, Sam James wrote:
>
> > Jordan Glover <Golden_Miller83 () protonmail ch> writes:
> >
> > > This post presents question about (in}security of fdk-aac-free package 
> > > library packaged by several linux distros. I hope someone on the list 
> > > finds it worth reading.
> >
> > I think we should include Martin in this conversation. (I've not snipped
> > the email for his benefit.)
>
> Thanks for looping me in! I have a couple of clarifications on some 
> details here.
>
> > > Since 2019 linux port of fdk-aac was gradually synced with aosp
> > > source. Current version is at 2.0.3. The diff between 2.0.0 and 2.0.3
> > > [5] is more than 1.5k commits,
>
> FWIW, if just counting commits, those commit numbers will be _vastly_ 
> inflated, due to how Android does its development - the majority of those 
> commits are just merges between different branches.
>
> $ git log --oneline v2.0.0..v2.0.3 | wc -l
>      1694
> $ git log --no-merges --oneline v2.0.0..v2.0.3 | wc -l
>       369
>
> So the true number of non-merge commits between those versions is closer 
> to 369, not 1.5k. In addition, some of those fixes are the same fix, 
> cherrypicked in different branches.
>
> A rough deduplication gets the number down to 300.
>
> $ git log --no-merges --oneline v2.0.0..v2.0.3 | sed s/^........// | sort | uniq | wc -l
>       300
>
> That's of course not saying that it's insignificant, but it's a bit less 
> than initially counted.
>
> Then unfortunately, some of those upstream AOSP commits also are batched 
> updates from another Fraunhofer internal repo, where the commit just says 
> "update to newer version or similar", see e.g. [1] and [2].
>
> > > including many bugfixes found by fuzzing and sanitizers.
>
> Indeed; a couple of years ago there was a lot of activity around fuzzing. 
> I got a couple dozens of fuzzed samples from oss-fuzz as well, which I've 
> tried to fix to the best of my capability (sometimes by corresponding with 
> Fraunhofer on what the best fix is). In many cases, the same bugs have 
> also been fixed in a better permanent way upstream in AOSP later, reducing 
> my diff between my fork and AOSP.
>
> > > The fact it wasn't simply rebased with -free patches on top make it 
> > > arguably harder to compare -free and non-free versions and requires 
> > > extra effort to do so. Alternative is to trust competences and goodwill 
> > > of the contributor. The diff between 2.0.2 and 2.0.3 is slightly over 
> > > 900 commits.
>
> FWIW, regarding development flow, within the main fdk-aac repo, I maintain 
> it by doing my own fixes on the regular branches, then semi-regularly 
> merging AOSP main into my branch. Separately, I maintain a rebased branch 
> with incremental patches on top of AOSP main [3], which recreates the same 
> exact state of the master branch at the same time [4] - this branch 
> currently weighs in at 25 commits.
>
> > > This raises natural question - does any of fixes for fdk-aac closed
> > > security vulnerability?
>
> Unfortunately I don't have any further insight into this.
>
> > > Among popular distros, fdk-aac (non-free) version is available in Arch 
> > > Linux[7] and Debian [8] (non-free repo).
>
> FWIW, personally I've always been surprised to see fdk-aac packaged in 
> distros at all (-free form or not). The project license is hard to 
> interpret and contains extra restrictions, which projects such as ffmpeg 
> have interpreted as GPL/LGPL incompatible. But apparently some distros 
> have interpreted it as free enough for them.
>
>
> > > > This version does not regularly sync from upstream: 
> > > > https://sourceforge.net/projects/opencore-amr/ Note that 
> > > > https://github.com/mstorsjo/fdk-aac is a downstream of Fraunhofer's 
> > > > code distributed on 
> > > > https://android.googlesource.com/platform/external/aac
>
> FWIW, this sentence feels a bit unclear. Both the sourceforge and github 
> repos are downstreams of the AOSP repo. Both those repos contain exactly 
> the same things; the sourceforge repo is the official front of the 
> project, while the github one is where I keep more in-development branches 
> and such.
>
> > > > Jorge has reported a potential vulnerability to
> > > > https://github.com/mstorsjo/fdk-aac/issues/167 and to Android's
> > > > VRP. Android responded saying that they require a PoC and directed
> > > > Jorge to
> > > > https://bughunters.google.com/learn/invalid-reports/android-platform/5148417640366080/bugs-with->negligible-security-impact#unreachable-bugs
>
> FWIW, regarding that vulnerability - as stated there, I'm not familiar 
> with the internals of the code to the level of being able to deal with a 
> potential bug - but if there's a sample reproducer actually triggering it 
> (like produced by fuzzers) I would definitely produce a fix for it in one 
> form or another.
>
> > > As presented above, the fdk-aac-free library, available in linux
> > > distros and used by popular software like browsers or media players is
> > > de facto abandonware, missing vast amount of publicly available
> > > fixes.
>
> I don't disagree with this part.
>
> // Martin
>
> [1] https://github.com/mstorsjo/fdk-aac/commit/9ab67882eca7454dc001e158bc1e6e2219d6650b
> [2] https://github.com/mstorsjo/fdk-aac/commit/6cfabd35363c3ef5e3b209b867169a500b3ccc3c
> [3] https://github.com/mstorsjo/fdk-aac/commits/upstream-patched
> [4] https://github.com/mstorsjo/fdk-aac/compare/upstream-patched..master
What is your recommendation to distro maintainers?  My understanding is
that the full codec is included in the flathub runtimes but am not sure.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature