Re: Question about (in)security of fdk-aac-free in linux distros

[Demi Marie Obenour <demiobenour () gmail com>]

On 8/19/25 03:35, Martin Storsjö wrote:
> On Fri, 15 Aug 2025, Demi Marie Obenour wrote:
>
> > What is your recommendation to distro maintainers?  My understanding is
> > that the full codec is included in the flathub runtimes but am not sure.
>
> Not sure about what to recommend. From what has been shared, fdk-aac-free 
> does indeed seem insecure and/or hard to maintain.
>
> If someone has time to invest in it, it could be fixable by trying to 
> recreate the transformation from fdk-aac to fdk-aac-free in the form of a 
> small patchset that can be rebased, or a script, ripping out the unwanted 
> parts. Unfortunately, going forward with newer versions of fdk-aac, there 
> can be more new algorithms that also may need to be patched out (there was 
> a pretty big dump of new stuff a number of years ago), so it probably 
> needs to be re-audited wrt patents after major updates.
Is it worthwhile for distros to even try to ship an unencumbered AAC decoder,
or should they leave multimedia support to third-party platforms that can
freely ship full codecs?  With Flathub that is much more feasible than it
used to be.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature