Hi Simon, On Sun, Jan 25, 2026 at 02:28:26PM +0000, Simon McVittie wrote: > I noticed that CVE-2025-14369 has appeared on the UDD dashboard for > libsdl2-mixer. That's a vulnerability in dr_flac, a small FLAC decoder > designed to be vendored. The source code included in src:libsdl2-mixer is > vulnerable, but in Debian we compile src:libsdl2-mixer with that codec > disabled (--enable-music-flac-libflac --disable-music-flac-drflac) so our > binaries shouldn't be affected by this vulnerability. > > Similarly, libsdl3-mixer (currently only in experimental because its API/ABI > haven't been declared stable yet) is configured to use libflac and not > dr_flac. > > In general I've tried to configure SDL's "satellite" libraries to use the > de-facto-standard implementations of common formats, which would need to be > security-supported regardless (libpng, libogg and so on), rather than > minimal/vendorable/overly-concise implementations. For SDL3 I've also tended > to err on the side of disabling formats that seem to be of dubious > usefulness: if we initially disable a format but we later find that a game > needs it, we can enable it later without breaking backward compatibility, > but if we had initially enabled a format out of a sense of completeness, it > would be an incompatible change to disable it later.
Thanks for reaching out! I have updated the metadata on that CVE for libsdl2-mixer and adding some notes following the above. Regards, Salvatore
