This post presents question about (in}security of fdk-aac-free package library packaged by several linux distros. I hope someone on the list finds it worth reading.
Background: Fraunhofer FDK AAC (fdk-aac) is a library for encoding and decoding digital audio in the Advanced Audio Coding (AAC) format. The library is develped for Android and public sources are hosted at [1]. Linux port, extracted from android sources is hosted at [2]. AAC format is covered by patents and fdk-aac license is usually considered as non-free [3]. Between 2018-2019 there was initiative to create fdk-aac-free library by using canonical fdk-aac source and strip parts which are still covered by patents. After few iterations it was completed by mid 2019 [4]. fdk-aac-free was based on version 2.0.0 of fdk-aac. State of 2025: Since 2019 linux port of fdk-aac was gradually synced with aosp source. Current version is at 2.0.3. The diff between 2.0.0 and 2.0.3 [5] is more than 1.5k commits, including many bugfixes found by fuzzing and sanitizers. Meanwhile the fdk-aac-free project remained almost silent. The only activity was merging massive, over 600 commits PR [6] from third-party contributor which supposedly synchronizes changes with version 2.0.2 of fdk-aac. There was no any corresponding release/tag of fdk-aac-free. The fact it wasn't simply rebased with -free patches on top make it arguably harder to compare -free and non-free versions and requires extra effort to do so. Alternative is to trust competences and goodwill of the contributor. The diff between 2.0.2 and 2.0.3 is slightly over 900 commits. This raises natural question - does any of fixes for fdk-aac closed security vulnerability? Unfortunately, the CVE are buried under AOSP security bulletins and I found very little details about those, below are few, vastly incomplete examples that sound related to AAC: https://nvd.nist.gov/vuln/detail/CVE-2019-9283 https://nvd.nist.gov/vuln/detail/CVE-2020-0279 https://nvd.nist.gov/vuln/detail/cve-2023-21282 (this is best documented but it affects the part of code that -free version strips away) Considering the magnitude of fixes it's possible that not every vulnerability may get CVE assigned. I know there are many projects with inactive upstream in linux ecosystem. What makes this one pretty unique is the fact there's constant flow of public fixes available elsewhere that are never applied which may create opportunity for potential attacker. On linux, fdk-aac(-free) library is used by several projects including ffmpeg, gstreamer, pipewire, obs-studio, gnome-remote-desktop, etc. Some of those may use it to decode remote untrusted content - for example it's default AAC codec for webkit based browsers. It even shows warning if some alternate codec is used: > ** (WebKitWebProcess): WARNING**: The GStreamer FDK AAC plugin is missing, > AAC playback is unlikely to work. Distro availability: Among popular distros, fdk-aac (non-free) version is available in Arch Linux[7] and Debian [8] (non-free repo). fdk-aac-free is available in Fedoraproject [9] (since 2019, no updates since then), Opensuse [10] (since 2021, using unchanged source from 2019). Ubuntu ships package named libfdk-aac2 [11] (in universe repo) which supposedly uses fdk-aac-free synced to 2.0.2 as source [12]. In 2022 ubuntu packager proposed adding fdk-aac-free into ubuntu main repository [13]. The security review that followed in 2024 was rather strongly negative [14]: >The upstream chain for fdk-aac-free is precarious. > >The Debian package fdk-aac-free watches >https://gitlab.freedesktop.org/wtaymans/fdk-aac-stripped/ This version >specifically removes the HE >(High Efficiency) and HEv2 profiles which have >patent concerns (see README.fedora). > >This version does not regularly sync from upstream: >https://sourceforge.net/projects/opencore-amr/ Note that >https://github.com/mstorsjo/fdk->aac is a downstream of Fraunhofer's code >distributed on https://android.googlesource.com/platform/external/aac > >Jorge has reported a potential vulnerability to >https://github.com/mstorsjo/fdk-aac/issues/167 and to Android's VRP. Android >responded saying >that they require a PoC and directed Jorge to >https://bughunters.google.com/learn/invalid-reports/android-platform/5148417640366080/bugs-with->negligible-security-impact#unreachable-bugs > >fdk-aac-free is not being maintained by syncing with upstream which may >contain security patches. Reporting issues about fdk-aac has so far >been >fruitless. Short time later it was rejected as abandonware [15]: >We have not been able to contact anyone 'upstream' who cares about this code. >From our perspective, this is basically abandonware. It doesn't >feel like >this meets our quality expectations for inclusion in Ubuntu Main. > >If we find an upstream maintainer willing to discuss and answer questions, we >can revisit this in the future. But maintaining this entirely on our own is >too much risk for too little benefit. > >Security team NACK for promoting the fdk-aac-free package to main. Debian rejected fdk-aac-free package at very similar time [16]. It's not clear if there was separate security review process or it was coordinated with ubuntu. Freedesktop-sdk (flatpak runtime) removed this library few months ago [17], citing similar reasons as ubuntu: >This fork is unmaintained since 2019 and misses many hundreds of >upstream fixes. Historically it was shipped in runtime to enable >patent-free aac codec functionality but after introducing codecs-extra >extension and dropping openh264, codec patents are no longer a >problem. Any aac support should be provided in codecs-extra >extension. Conclusion: As presented above, the fdk-aac-free library, available in linux distros and used by popular software like browsers or media players is de facto abandonware, missing vast amount of publicly available fixes. Moreover AOSP - which is the ultimate and only place to report security issues - according to its policy[18] may require PoC that works on android: > Be especially careful if you're building a Proof of Concept (PoC) that links > to a library and calls functions directly, if those functions > would not be > callable directly when using normal Android APIs. Potential issues that could affect linux library but not android may be rejected as invalid. Considering above I wanted to ask, especially Fedora and Opensuse security teams if they did made security review of fdk-aac-free library before or after it was added in the repos and whether they made different conclusions about it than Ubuntu/Debian. Also I ask if they provide security support for this package. Thank You Jordan [1] https://android.googlesource.com/platform/external/aac/ [2] https://github.com/mstorsjo/fdk-aac [3] https://fedoraproject.org/wiki/Licensing/FDK-AAC [4] https://cgit.freedesktop.org/~wtay/fdk-aac/log/?h=stripped4 [5] https://github.com/mstorsjo/fdk-aac/compare/v2.0.0...v2.0.3 [6] https://gitlab.freedesktop.org/wtaymans/fdk-aac-stripped/-/merge_requests/1 [7] https://archlinux.org/packages/extra/x86_64/libfdk-aac/ [8] https://tracker.debian.org/pkg/fdk-aac [9] https://src.fedoraproject.org/rpms/fdk-aac-free/tree/rawhide [10] https://build.opensuse.org/package/show/multimedia:libs/fdk-aac-free [11] https://packages.ubuntu.com/questing/libfdk-aac2 [12] https://git.launchpad.net/ubuntu/+source/fdk-aac-free/ [13] https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614 [14] https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614/comments/13 [15] https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614/comments/17 [16] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981285#79 [17] https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/commit/eb5f79dd1430d6f47394766509bfd0335345bb45 [18] https://bughunters.google.com/learn/invalid-reports/android-platform/5148417640366080/bugs-with-negligible-security-impact#unreachable-bugs
