Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 622910

Summary: <media-libs/libmtp-1.1.13: multiple vulnerabilities in ptp* camlib
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: sound
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
media-libs/libmtp-1.1.13
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 623634    

Description Agostino Sarubbo gentoo-dev 2017-06-28 13:07:51 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=1465040:

An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL function) of libmtp (version 1.1.12 and below) allows attackers to cause a denial of service (out-of-bounds memory access) or maybe remote 
code execution by inserting a mobile device into a personal computer through a USB cable.

Upstream bug report:

https://sourceforge.net/p/libmtp/mailman/message/35727918/



From https://bugzilla.redhat.com/show_bug.cgi?id=1465038:

An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx function of the ptp-pack.c file of libmtp (version 1.1.12 and below) allows attackers to cause a denial of service (out-of-bounds 
memory access) or maybe remote code execution by inserting a mobile device into a personal computer through a USB cable.

Upstream bug report:

https://sourceforge.net/p/libmtp/mailman/message/35727918/


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-06 12:13:56 UTC 
@ Arches,

please test and mark stable: =media-libs/libmtp-1.1.13
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-07 07:40:40 UTC 
ia64 stable
Comment 3 Markus Meier gentoo-dev 2017-08-08 04:32:02 UTC 
arm stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2017-08-25 22:16:28 UTC 
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-29 20:43:42 UTC 
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-25 21:15:07 UTC 
ppc64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-25 21:37:47 UTC 
ppc stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-14 18:18:05 UTC 
hppa stable
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-15 04:17:02 UTC 
Thank you all.

GLSA Request filed.

Please proceed to clean up the tree.
Comment 10 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-23 00:50:23 UTC 
I couldn't find a PoC of Remote Code Execution, and i don't know if having local access to plug the device is considered "remote by enticing" attack.

Downgrading to B3 because of the DoS.

Security please vote:

GLSA Request Vote: No
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-11-19 20:41:09 UTC 
@sound, can this be cleaned?
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 19:21:21 UTC 
Tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a675141ca41b8533e16d8f513129d5c592d993f

Coordinated with Soap via IRC.