[Bug 1977614] Re: [MIR] fdk-aac-free
It's on the security team's todo list to try to bring issues discovered during the MIR to the attention of the Fraunhofer team. Hopefully they'll be more receptive than the Android team. It sounds like there are open questions if this is actually useful for us; is the version without the efficiency codecs actually solving a problem? Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1977614 Title: [MIR] fdk-aac-free To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1977614] Re: [MIR] fdk-aac-free
** Changed in: fdk-aac-free (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Jeremy Bícha (jbicha) ** Changed in: fdk-aac-free (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1977614 Title: [MIR] fdk-aac-free To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1977614] Re: [MIR] fdk-aac-free
The upstream chain for fdk-aac-free is precarious. The Debian package fdk-aac-free watches https://gitlab.freedesktop.org/wtaymans/fdk-aac-stripped/ This version specifically removes the HE (High Efficiency) and HEv2 profiles which have patent concerns (see README.fedora). This version does not regularly sync from upstream: https://sourceforge.net/projects/opencore-amr/ Note that https://github.com/mstorsjo/fdk-aac is a downstream of Fraunhofer's code distributed on https://android.googlesource.com/platform/external/aac Jorge has reported a potential vulnerability to https://github.com/mstorsjo/fdk-aac/issues/167 and to Android's VRP. Android responded saying that they require a PoC and directed Jorge to https://bughunters.google.com/learn/invalid-reports/android- platform/5148417640366080/bugs-with-negligible-security- impact#unreachable-bugs fdk-aac-free is not being maintained by syncing with upstream which may contain security patches. Reporting issues about fdk-aac has so far been fruitless. Security could conclude our MIR now, but I suggest that fdk-aac-free is reviewed next cycle if the owning team plans to work with fdk-aac-free. Note that Fedora is also invested in fdk-aac-free and may share concerns if made aware. Side note: iiuc, the advantage of fdk-aac is that it works well on low resource systems, like cell phones and possibly for remote desktop. This advantage may not exist if HE profiles are stripped. If that is the case, there are aac alternatives. ** Bug watch added: github.com/mstorsjo/fdk-aac/issues #167 https://github.com/mstorsjo/fdk-aac/issues/167 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1977614 Title: [MIR] fdk-aac-free To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1977614] Re: [MIR] fdk-aac-free
Mark and Jorge, I reached out to Fedora to ask them to update but I don't expect action will happen soon enough for our needs. The Ubuntu Desktop team can likely rebase fdk-aac-free to 2.0.3 but we don't have time to do it this week. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1977614 Title: [MIR] fdk-aac-free To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs