UbuntuUpdates.org

Package "pipewire-alsa"

Name: pipewire-alsa

Description:

PipeWire ALSA plugin, for ALSA applications to output via PipeWire

Latest version: 1.6.2-1ubuntu1.1
Release: resolute (26.04)
Level: updates
Repository: main
Head package: pipewire
Homepage: https://pipewire.org/

Links


Download "pipewire-alsa"


Other versions of "pipewire-alsa" in Resolute

Repository Area Version
base main 1.6.2-1ubuntu1
security main 1.6.2-1ubuntu1.1

Changelog

Version: 1.6.2-1ubuntu1.1 2026-07-13 22:09:41 UTC

  pipewire (1.6.2-1ubuntu1.1) resolute-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference in RAOP module.
    - debian/patches/CVE-2026-14324.patch: limit RTSP content-length and
      check allocation in src/modules/module-raop/rtsp-client.c
    - CVE-2026-14324
  * SECURITY UPDATE: Denial of service in Pulse module.
    - debian/patches/CVE-2026-14330-pre1.patch: Add a MAX_ALLOCA_SIZE limit
      and check element counts before each alloca() call in
      src/modules/module-protocol-pulse/pulse-server.c
    - debian/patches/CVE-2026-14330.patch: Make a function like alloca but
      with overflow checks and a max allocation size in
      spa/include/spa/utils/defs.h, spa/plugins/audioconvert/audioadapter.c,
      src/modules/module-protocol-pulse/defs.h,
      src/modules/module-protocol-pulse/message.c,
      src/modules/module-protocol-pulse/pulse-server.c,
      src/pipewire/buffers.c, and src/pipewire/impl-node.c
    - CVE-2026-14330

 -- Kyle Kernick <email address hidden> Tue, 07 Jul 2026 16:03:15 -0600

CVE-2026-14324 RAOP module accepts unbounded Content-Length values and does not check the pw_array_add() return.
CVE-2026-14330 Multiple unbounded alloca() calls in the PulseAudio protocol server.



About   -   Send Feedback to @ubuntu_updates