I noticed that CVE-2025-14369 has appeared on the UDD dashboard for
libsdl2-mixer. That's a vulnerability in dr_flac, a small FLAC decoder
designed to be vendored. The source code included in src:libsdl2-mixer
is vulnerable, but in Debian we compile src:libsdl2-mixer with that
codec disabled (--enable-music-flac-libflac --disable-music-flac-drflac)
so our binaries shouldn't be affected by this vulnerability.
Similarly, libsdl3-mixer (currently only in experimental because its
API/ABI haven't been declared stable yet) is configured to use libflac
and not dr_flac.
In general I've tried to configure SDL's "satellite" libraries to use
the de-facto-standard implementations of common formats, which would
need to be security-supported regardless (libpng, libogg and so on),
rather than minimal/vendorable/overly-concise implementations. For SDL3
I've also tended to err on the side of disabling formats that seem to be
of dubious usefulness: if we initially disable a format but we later
find that a game needs it, we can enable it later without breaking
backward compatibility, but if we had initially enabled a format out of
a sense of completeness, it would be an incompatible change to disable
it later.
smcv
- libsdl2-mixer believed to be unaffected by CVE-2025-1... Simon McVittie
-
