On 22 January 2015 at 08:12, Michael DePaulo <mikedep333 at gmail.com> wrote: > Hi PulseAudio devs, > > Can someone tell me whether PulseAudio can actually be affected by the > libsndfile vulnerability CVE-2014-9496? > https://bugs.mageia.org/show_bug.cgi?id=14961 > > "It looks like the affected code is in reading SD2 (Sound Designer II) > files and writing AIFF files". > > I am thinking the answer is "no". > > Currently I am maintaining both X2Go Client for Windows[1] and my > unofficial PulseAudio builds for Windows[2][3]. X2Go Client for > Windows bundles the PulseAudio builds. So I am trying to figure out > whether I urgently need to update them with the patched libsndfile > .DLL. The PulseAudio server may be impacted by the read part of the CVE -- if module-cli is usable on Windows, then 'pacmd load-sample <filename>', 'pacmd play-sample <filename>' and related commands will use libsndfile to read the given file. The pacat/paplay/parec utility can be used to read or write files using libsndfile as well. -- Arun
