On 8/14/25 04:56, Martin Storsjö wrote: > Hi, > > On Thu, 14 Aug 2025, Sam James wrote: > >> Jordan Glover <[email protected]> writes: >> >>> This post presents question about (in}security of fdk-aac-free package >>> library packaged by several linux distros. I hope someone on the list >>> finds it worth reading. >> >> I think we should include Martin in this conversation. (I've not snipped >> the email for his benefit.) > > Thanks for looping me in! I have a couple of clarifications on some > details here. > >>> Since 2019 linux port of fdk-aac was gradually synced with aosp >>> source. Current version is at 2.0.3. The diff between 2.0.0 and 2.0.3 >>> [5] is more than 1.5k commits, > > FWIW, if just counting commits, those commit numbers will be _vastly_ > inflated, due to how Android does its development - the majority of those > commits are just merges between different branches. > > $ git log --oneline v2.0.0..v2.0.3 | wc -l > 1694 > $ git log --no-merges --oneline v2.0.0..v2.0.3 | wc -l > 369 > > So the true number of non-merge commits between those versions is closer > to 369, not 1.5k. In addition, some of those fixes are the same fix, > cherrypicked in different branches. > > A rough deduplication gets the number down to 300. > > $ git log --no-merges --oneline v2.0.0..v2.0.3 | sed s/^........// | sort | > uniq | wc -l > 300 > > That's of course not saying that it's insignificant, but it's a bit less > than initially counted. > > Then unfortunately, some of those upstream AOSP commits also are batched > updates from another Fraunhofer internal repo, where the commit just says > "update to newer version or similar", see e.g. [1] and [2]. > >>> including many bugfixes found by fuzzing and sanitizers. > > Indeed; a couple of years ago there was a lot of activity around fuzzing. > I got a couple dozens of fuzzed samples from oss-fuzz as well, which I've > tried to fix to the best of my capability (sometimes by corresponding with > Fraunhofer on what the best fix is). In many cases, the same bugs have > also been fixed in a better permanent way upstream in AOSP later, reducing > my diff between my fork and AOSP. > >>> The fact it wasn't simply rebased with -free patches on top make it >>> arguably harder to compare -free and non-free versions and requires >>> extra effort to do so. Alternative is to trust competences and goodwill >>> of the contributor. The diff between 2.0.2 and 2.0.3 is slightly over >>> 900 commits. > > FWIW, regarding development flow, within the main fdk-aac repo, I maintain > it by doing my own fixes on the regular branches, then semi-regularly > merging AOSP main into my branch. Separately, I maintain a rebased branch > with incremental patches on top of AOSP main [3], which recreates the same > exact state of the master branch at the same time [4] - this branch > currently weighs in at 25 commits. > >>> This raises natural question - does any of fixes for fdk-aac closed >>> security vulnerability? > > Unfortunately I don't have any further insight into this. > >>> Among popular distros, fdk-aac (non-free) version is available in Arch >>> Linux[7] and Debian [8] (non-free repo). > > FWIW, personally I've always been surprised to see fdk-aac packaged in > distros at all (-free form or not). The project license is hard to > interpret and contains extra restrictions, which projects such as ffmpeg > have interpreted as GPL/LGPL incompatible. But apparently some distros > have interpreted it as free enough for them. > > >>>> This version does not regularly sync from upstream: >>>> https://sourceforge.net/projects/opencore-amr/ Note that >>>> https://github.com/mstorsjo/fdk-aac is a downstream of Fraunhofer's >>>> code distributed on >>>> https://android.googlesource.com/platform/external/aac > > FWIW, this sentence feels a bit unclear. Both the sourceforge and github > repos are downstreams of the AOSP repo. Both those repos contain exactly > the same things; the sourceforge repo is the official front of the > project, while the github one is where I keep more in-development branches > and such. > >>>> Jorge has reported a potential vulnerability to >>>> https://github.com/mstorsjo/fdk-aac/issues/167 and to Android's >>>> VRP. Android responded saying that they require a PoC and directed >>>> Jorge to >>>> https://bughunters.google.com/learn/invalid-reports/android-platform/5148417640366080/bugs-with->negligible-security-impact#unreachable-bugs > > FWIW, regarding that vulnerability - as stated there, I'm not familiar > with the internals of the code to the level of being able to deal with a > potential bug - but if there's a sample reproducer actually triggering it > (like produced by fuzzers) I would definitely produce a fix for it in one > form or another. > >>> As presented above, the fdk-aac-free library, available in linux >>> distros and used by popular software like browsers or media players is >>> de facto abandonware, missing vast amount of publicly available >>> fixes. > > I don't disagree with this part. > > // Martin > > [1] > https://github.com/mstorsjo/fdk-aac/commit/9ab67882eca7454dc001e158bc1e6e2219d6650b > [2] > https://github.com/mstorsjo/fdk-aac/commit/6cfabd35363c3ef5e3b209b867169a500b3ccc3c > [3] https://github.com/mstorsjo/fdk-aac/commits/upstream-patched > [4] https://github.com/mstorsjo/fdk-aac/compare/upstream-patched..master What is your recommendation to distro maintainers? My understanding is that the full codec is included in the flathub runtimes but am not sure. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Description: OpenPGP digital signature
