Bug 21177

Summary: libmtp, libgphoto new security issues CVE-2017-9831 and CVE-2017-9832
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK advisory
Source RPM: libmtp-1.1.8-4.mga5.src.rpm, libgphoto-2.5.12-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-07-03 12:02:45 CEST 
Fedora has issued an advisory on July 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LTQ4RARXHHXXKCHPXONGT7HSMAQXNAVM/

The issues are fixed in libmtp 1.1.13 and libgphoto 2.5.14.

libmtp is already updated in Cauldron but libgphoto/gphoto2 needs to be updated.

Mageia 5 is also affected.
David Walser 2017-07-03 12:02:54 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-07-05 10:37:09 CEST 
Assigning to all packagers collectively, since there are no registered maintainers for libmtp and libgphoto

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 David Walser 2017-07-07 12:04:29 CEST 
libgphoto now also updated in Cauldron.  Still waiting for gphoto2 to be pushed.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 3 David Walser 2017-07-08 21:31:30 CEST 
Patched packages uploaded for Mageia 5.

Advisory:
========================

Updated libmtp and libgphoto packages fix security vulnerabilities:

An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx function
of the ptp-pack.c file of libmtp and libgphoto allows attackers to cause a
denial of service (out-of-bounds memory access) or maybe remote code execution
by inserting a mobile device into a personal computer through a USB cable
(CVE-2017-9831).

An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL function) of
libmtp and libgphoto allows attackers to cause a denial of service
(out-of-bounds memory access) or maybe remote code execution by inserting a
mobile device into a personal computer through a USB cable (CVE-2017-9832).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9831
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9832
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LTQ4RARXHHXXKCHPXONGT7HSMAQXNAVM/
========================

Updated packages in core/updates_testing:
========================
libmtp9-1.1.8-4.1.mga5
libmtp-devel-1.1.8-4.1.mga5
libmtp-doc-1.1.8-4.1.mga5
libmtp-utils-1.1.8-4.1.mga5
libgphoto2_6-2.5.7-1.2.mga5
libgphoto2_port12-2.5.7-1.2.mga5
libgphoto-common-2.5.7-1.2.mga5
libgphoto-devel-2.5.7-1.2.mga5

from SRPMS:
libmtp-1.1.8-4.1.mga5.src.rpm
libgphoto-2.5.7-1.2.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 4 Herman Viaene 2017-07-18 13:51:09 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues
Found digikam to be dependent on libgphoto2_6.
Used strace with digikam, connected Nikon Coolpix S2900, and found multiple calls to libgphoto2.

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2017-07-18 14:49:29 CEST 
Found trace of libmtp in paying audio CD with clementine.
Herman Viaene 2017-07-18 14:49:43 CEST

Whiteboard: (none) => MGA5-32-OK

Lewis Smith 2017-07-20 21:02:59 CEST

Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => lewyssmith

Comment 6 Lewis Smith 2017-07-28 11:03:09 CEST 
Thanks yet again, Herman. Validating the update under the temporary "1 OK suffices" policy.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2017-07-28 20:13:20 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0225.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED