diff -u pulseaudio-0.9.5/debian/changelog pulseaudio-0.9.5/debian/changelog
--- pulseaudio-0.9.5/debian/changelog
+++ pulseaudio-0.9.5/debian/changelog
@@ -1,3 +1,11 @@
+pulseaudio (0.9.5-5ubuntu4.1) feisty-security; urgency=low
+
+  * SECURITY UPDATE: Denial of service (daemon crash).
+  * 10_fix_DoS_vulns.dpatch: extracted from upstream changes
+    (CVE-2007-1804)
+
+ -- Daniel T Chen <crimsun@ubuntu.com>  Fri, 25 May 2007 02:18:16 -0400
+
 pulseaudio (0.9.5-5ubuntu4) feisty; urgency=low
 
   * add 09_fix_esd_max_samplesize.dpatch to make sure the login and logout
diff -u pulseaudio-0.9.5/debian/patches/00list pulseaudio-0.9.5/debian/patches/00list
--- pulseaudio-0.9.5/debian/patches/00list
+++ pulseaudio-0.9.5/debian/patches/00list
@@ -8,0 +9 @@
+10_fix_DoS_vulns.dpatch
--- pulseaudio-0.9.5.orig/debian/patches/10_fix_DoS_vulns.dpatch
+++ pulseaudio-0.9.5/debian/patches/10_fix_DoS_vulns.dpatch
@@ -0,0 +1,95 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10_fix_DoS_vulns.dpatch by Daniel T Chen <crimsun@ubuntu.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Include fixes for potential DoS vuln from
+## DP: http://pulseaudio.org/ticket/67
+
+@DPATCH@
+diff -urNad pulseaudio-0.9.5-7ubuntu1~/src/modules/module-volume-restore.c pulseaudio-0.9.5-7ubuntu1/src/modules/module-volume-restore.c
+--- pulseaudio-0.9.5-7ubuntu1~/src/modules/module-volume-restore.c	2007-05-08 06:39:31.000000000 -0400
++++ pulseaudio-0.9.5-7ubuntu1/src/modules/module-volume-restore.c	2007-05-25 01:22:16.000000000 -0400
+@@ -435,6 +435,7 @@
+     u->modified = 0;
+     
+     m->userdata = u;
++    u->sink_input_hook_slot = u->source_output_hook_slot = NULL;
+     
+     if (load_rules(u) < 0)
+         goto fail;
+diff -urNad pulseaudio-0.9.5-7ubuntu1~/src/modules/rtp/sap.c pulseaudio-0.9.5-7ubuntu1/src/modules/rtp/sap.c
+--- pulseaudio-0.9.5-7ubuntu1~/src/modules/rtp/sap.c	2007-05-08 06:39:32.000000000 -0400
++++ pulseaudio-0.9.5-7ubuntu1/src/modules/rtp/sap.c	2007-05-25 01:22:29.000000000 -0400
+@@ -142,9 +142,6 @@
+         goto fail;
+     }
+ 
+-    if (!size)
+-        return 0;
+-
+     buf = pa_xnew(char, size+1);
+     buf[size] = 0;
+     
+diff -urNad pulseaudio-0.9.5-7ubuntu1~/src/pulsecore/protocol-native.c pulseaudio-0.9.5-7ubuntu1/src/pulsecore/protocol-native.c
+--- pulseaudio-0.9.5-7ubuntu1~/src/pulsecore/protocol-native.c	2007-05-08 06:39:33.000000000 -0400
++++ pulseaudio-0.9.5-7ubuntu1/src/pulsecore/protocol-native.c	2007-05-25 01:19:40.000000000 -0400
+@@ -760,7 +760,8 @@
+     CHECK_VALIDITY(c->pstream, pa_cvolume_valid(&volume), tag, PA_ERR_INVALID);
+     CHECK_VALIDITY(c->pstream, map.channels == ss.channels && volume.channels == ss.channels, tag, PA_ERR_INVALID);
+     CHECK_VALIDITY(c->pstream, maxlength > 0 && maxlength <= MAX_MEMBLOCKQ_LENGTH, tag, PA_ERR_INVALID);
+-
++    CHECK_VALIDITY(c->pstream, maxlength >= pa_frame_size(&ss), tag, PA_ERR_INVALID);
++    
+     if (sink_index != PA_INVALID_INDEX) {
+         sink = pa_idxset_get_by_index(c->protocol->core->sinks, sink_index);
+         CHECK_VALIDITY(c->pstream, sink, tag, PA_ERR_NOENTITY);
+diff -urNad pulseaudio-0.9.5-7ubuntu1~/src/pulsecore/pstream.c pulseaudio-0.9.5-7ubuntu1/src/pulsecore/pstream.c
+--- pulseaudio-0.9.5-7ubuntu1~/src/pulsecore/pstream.c	2007-05-08 06:39:33.000000000 -0400
++++ pulseaudio-0.9.5-7ubuntu1/src/pulsecore/pstream.c	2007-05-25 01:18:45.000000000 -0400
+@@ -585,7 +585,7 @@
+ 
+         flags = ntohl(p->read.descriptor[PA_PSTREAM_DESCRIPTOR_FLAGS]);
+ 
+-        if (!p->import && (flags & PA_FLAG_SHMMASK) != 0) {
++        if (!p->use_shm && (flags & PA_FLAG_SHMMASK) != 0) {
+             pa_log_warn("Recieved SHM frame on a socket where SHM is disabled.");
+             return -1;
+         }
+@@ -615,7 +615,7 @@
+ 
+         length = ntohl(p->read.descriptor[PA_PSTREAM_DESCRIPTOR_LENGTH]);
+         
+-        if (length > FRAME_SIZE_MAX_ALLOW) {
++        if (length > FRAME_SIZE_MAX_ALLOW || length <= 0) {
+             pa_log_warn("Recieved invalid frame size : %lu", (unsigned long) length);
+             return -1;
+         }
+diff -urNad pulseaudio-0.9.5-7ubuntu1~/src/pulsecore/sample-util.c pulseaudio-0.9.5-7ubuntu1/src/pulsecore/sample-util.c
+--- pulseaudio-0.9.5-7ubuntu1~/src/pulsecore/sample-util.c	2007-05-25 01:15:11.000000000 -0400
++++ pulseaudio-0.9.5-7ubuntu1/src/pulsecore/sample-util.c	2007-05-25 01:20:30.000000000 -0400
+@@ -35,13 +35,25 @@
+ #include "sample-util.h"
+ #include "endianmacros.h"
+ 
++#define PA_SILENCE_MAX (1024*1024*1)
++
+ pa_memblock *pa_silence_memblock_new(pa_mempool *pool, const pa_sample_spec *spec, size_t length) {
++    size_t fs;
+     assert(pool);
+     assert(spec);
+ 
+     if (length == 0)
+         length = pa_bytes_per_second(spec)/20; /* 50 ms */
+ 
++    if (length > PA_SILENCE_MAX)
++        length = PA_SILENCE_MAX;
++
++    fs = pa_frame_size(spec);
++    length = ((PA_SILENCE_MAX+fs-1) / fs) * fs;
++
++    if (length <= 0)
++        length = fs;
++    
+     return pa_silence_memblock(pa_memblock_new(pool, length), spec);
+ }
+