[pulseaudio-discuss] libsndfile CVE-2014-9496

Michael DePaulo mikedep333 at gmail.com
Wed Jan 21 20:03:39 PST 2015

On Wed, Jan 21, 2015 at 10:48 PM, Arun Raghavan <arun at accosted.net> wrote:
> On 22 January 2015 at 08:12, Michael DePaulo <mikedep333 at gmail.com> wrote:
>> Hi PulseAudio devs,
>> Can someone tell me whether PulseAudio can actually be affected by the
>> libsndfile vulnerability CVE-2014-9496?
>> https://bugs.mageia.org/show_bug.cgi?id=14961
>> "It looks like the affected code is in reading SD2 (Sound Designer II)
>> files and writing AIFF files".
>> I am thinking the answer is "no".
>> Currently I am maintaining both X2Go Client for Windows[1] and my
>> unofficial PulseAudio builds for Windows[2][3]. X2Go Client for
>> Windows bundles the PulseAudio builds. So I am trying to figure out
>> whether I urgently need to update them with the patched libsndfile
>> .DLL.
> The PulseAudio server may be impacted by the read part of the CVE --
> if module-cli is usable on Windows, then 'pacmd load-sample
> <filename>', 'pacmd play-sample <filename>' and related commands will
> use libsndfile to read the given file.
> The pacat/paplay/parec utility can be used to read or write files
> using libsndfile as well.
> -- Arun


I applied the patch (actually, there's 2 .patch files) and submitted a
pull request for mingw32-libsndfile:


More information about the pulseaudio-discuss mailing list