[pulseaudio-discuss] libsndfile CVE-2014-9496

Arun Raghavan arun at accosted.net
Wed Jan 21 19:48:12 PST 2015

On 22 January 2015 at 08:12, Michael DePaulo <mikedep333 at gmail.com> wrote:
> Hi PulseAudio devs,
> Can someone tell me whether PulseAudio can actually be affected by the
> libsndfile vulnerability CVE-2014-9496?
> https://bugs.mageia.org/show_bug.cgi?id=14961
> "It looks like the affected code is in reading SD2 (Sound Designer II)
> files and writing AIFF files".
> I am thinking the answer is "no".
> Currently I am maintaining both X2Go Client for Windows[1] and my
> unofficial PulseAudio builds for Windows[2][3]. X2Go Client for
> Windows bundles the PulseAudio builds. So I am trying to figure out
> whether I urgently need to update them with the patched libsndfile
> .DLL.

The PulseAudio server may be impacted by the read part of the CVE --
if module-cli is usable on Windows, then 'pacmd load-sample
<filename>', 'pacmd play-sample <filename>' and related commands will
use libsndfile to read the given file.

The pacat/paplay/parec utility can be used to read or write files
using libsndfile as well.

-- Arun

More information about the pulseaudio-discuss mailing list