On Wed, Jan 21, 2015 at 10:48 PM, Arun Raghavan <arun at accosted.net> wrote: > On 22 January 2015 at 08:12, Michael DePaulo <mikedep333 at gmail.com> wrote: >> Hi PulseAudio devs, >> >> Can someone tell me whether PulseAudio can actually be affected by the >> libsndfile vulnerability CVE-2014-9496? >> https://bugs.mageia.org/show_bug.cgi?id=14961 >> >> "It looks like the affected code is in reading SD2 (Sound Designer II) >> files and writing AIFF files". >> >> I am thinking the answer is "no". >> >> Currently I am maintaining both X2Go Client for Windows[1] and my >> unofficial PulseAudio builds for Windows[2][3]. X2Go Client for >> Windows bundles the PulseAudio builds. So I am trying to figure out >> whether I urgently need to update them with the patched libsndfile >> .DLL. > > The PulseAudio server may be impacted by the read part of the CVE -- > if module-cli is usable on Windows, then 'pacmd load-sample > <filename>', 'pacmd play-sample <filename>' and related commands will > use libsndfile to read the given file. > > The pacat/paplay/parec utility can be used to read or write files > using libsndfile as well. > > -- Arun Thanks, I applied the patch (actually, there's 2 .patch files) and submitted a pull request for mingw32-libsndfile: https://build.opensuse.org/package/show/home:mikedep333:branches:windows:mingw:win32/mingw32-libsndfile -Mike
