Fedora has issued an advisory on July 2:
The issues are fixed in libmtp 1.1.13 and libgphoto 2.5.14.
libmtp is already updated in Cauldron but libgphoto/gphoto2 needs to be updated.
Mageia 5 is also affected.
Assigning to all packagers collectively, since there are no registered maintainers for libmtp and libgphoto
libgphoto now also updated in Cauldron. Still waiting for gphoto2 to be pushed.
Patched packages uploaded for Mageia 5.
Updated libmtp and libgphoto packages fix security vulnerabilities:
An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx function
of the ptp-pack.c file of libmtp and libgphoto allows attackers to cause a
denial of service (out-of-bounds memory access) or maybe remote code execution
by inserting a mobile device into a personal computer through a USB cable
An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL function) of
libmtp and libgphoto allows attackers to cause a denial of service
(out-of-bounds memory access) or maybe remote code execution by inserting a
mobile device into a personal computer through a USB cable (CVE-2017-9832).
Updated packages in core/updates_testing:
MGA5-32 on Asus A6000VM Xfce
No installation issues
Found digikam to be dependent on libgphoto2_6.
Used strace with digikam, connected Nikon Coolpix S2900, and found multiple calls to libgphoto2.
Found trace of libmtp in paying audio CD with clementine.
Thanks yet again, Herman. Validating the update under the temporary "1 OK suffices" policy.
An update for this issue has been pushed to the Mageia Updates repository.