Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622910 - <media-libs/libmtp-1.1.13: multiple vulnerabilities in ptp* camlib
Summary: <media-libs/libmtp-1.1.13: multiple vulnerabilities in ptp* camlib
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-9831, CVE-2017-9832
  Show dependency tree
 
Reported: 2017-06-28 13:07 UTC by Agostino Sarubbo
Modified: 2018-01-20 19:21 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/libmtp-1.1.13
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-06-28 13:07:51 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1465040:

An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL function) of libmtp (version 1.1.12 and below) allows attackers to cause a denial of service (out-of-bounds memory access) or maybe remote 
code execution by inserting a mobile device into a personal computer through a USB cable.

Upstream bug report:

https://sourceforge.net/p/libmtp/mailman/message/35727918/



From https://bugzilla.redhat.com/show_bug.cgi?id=1465038:

An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx function of the ptp-pack.c file of libmtp (version 1.1.12 and below) allows attackers to cause a denial of service (out-of-bounds 
memory access) or maybe remote code execution by inserting a mobile device into a personal computer through a USB cable.

Upstream bug report:

https://sourceforge.net/p/libmtp/mailman/message/35727918/


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-06 12:13:56 UTC
@ Arches,

please test and mark stable: =media-libs/libmtp-1.1.13
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-07 07:40:40 UTC
ia64 stable
Comment 3 Markus Meier gentoo-dev 2017-08-08 04:32:02 UTC
arm stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2017-08-25 22:16:28 UTC
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-29 20:43:42 UTC
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-25 21:15:07 UTC
ppc64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-25 21:37:47 UTC
ppc stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-14 18:18:05 UTC
hppa stable
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-15 04:17:02 UTC
Thank you all.

GLSA Request filed.

Please proceed to clean up the tree.
Comment 10 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-23 00:50:23 UTC
I couldn't find a PoC of Remote Code Execution, and i don't know if having local access to plug the device is considered "remote by enticing" attack.

Downgrading to B3 because of the DoS.

Security please vote:

GLSA Request Vote: No
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-11-19 20:41:09 UTC
@sound, can this be cleaned?
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 19:21:21 UTC
Tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a675141ca41b8533e16d8f513129d5c592d993f

Coordinated with Soap via IRC.