diff --git a/pkgs/servers/pulseaudio/default.nix b/pkgs/servers/pulseaudio/default.nix
index 0665222a9e0..2c6f6c10493 100644
--- a/pkgs/servers/pulseaudio/default.nix
+++ b/pkgs/servers/pulseaudio/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, gnum4, gdbm, libtool, glib, dbus, avahi
+{ stdenv, fetchurl, fetchpatch, pkgconfig, gnum4, gdbm, libtool, glib, dbus, avahi
 , gconf, gtk, intltool, gettext, alsaLib, libsamplerate, libsndfile, speex
 , bluez, sbc, udev, libcap, json_c
 , jackaudioSupport ? false, jack2 ? null
@@ -15,6 +15,13 @@ stdenv.mkDerivation rec {
     sha256 = "0fgrr8v7yfh0byhzdv4c87v9lkj8g7gpjm8r9xrbvpa92a5kmhcr";
   };
 
+  patches = [(fetchpatch {
+    name = "CVE-2014-3970.patch";
+    url = "http://cgit.freedesktop.org/pulseaudio/pulseaudio/patch/"
+      + "?id=26b9d22dd24c17eb118d0205bf7b02b75d435e3c";
+    sha256 = "13vxp6520djgfrfxkzy5qvabl94sga3yl5pj93xawbkgwzqymdyq";
+  })];
+
   # Since `libpulse*.la' contain `-lgdbm' and `-lcap', it must be propagated.
   propagatedBuildInputs
     = [ gdbm ] ++ stdenv.lib.optionals stdenv.isLinux [ libcap ];