[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[REQUEST FOR TESTING] libmtp 1.1.8-1+deb8u1

Hi all,

I have prepared an update for libmtp to fix CVE-2017-9831 and CVE-2017-9832.
  * CVE-2017-9831:
     An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx
     function of the ptp-pack.c file allows attackers to cause a denial of
     service (out-of-bounds memory access) or maybe remote code execution by
     inserting a mobile device into a personal computer through a USB cable.
  * CVE-2017-9832:
     An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL function)
     allows attackers to cause a denial of service (out-of-bounds memory
     access) or maybe remote code execution by inserting a mobile device into
     a personal computer through a USB cable.

The patch is quite similar (and quite big) to the one prepared by
Antoine Beaupré for wheezy (DLA-1029) [1-3]. I have tested the package
in a VM, but it would be better to test it with a real machine with
Jessie and USB devices supporting the MTP transfer protocol (like all
andro** phones).

The signed packages are available here:
> https://people.debian.org/~daissi/jessie-lts/

If nobody reports a regression, I plan to upload this fix in 1 week
(Saturday, 4th April).

Best,
Dylan

[1] https://lists.debian.org/debian-lts/2017/07/msg00047.html
[2] https://www.debian.org/lts/security/2017/dla-1029
[3] https://salsa.debian.org/debian/libmtp/-/commit/88979a49ed
Reply to: