Fedora has issued an advisory on July 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LTQ4RARXHHXXKCHPXONGT7HSMAQXNAVM/ The issues are fixed in libmtp 1.1.13 and libgphoto 2.5.14. libmtp is already updated in Cauldron but libgphoto/gphoto2 needs to be updated. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there are no registered maintainers for libmtp and libgphoto
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
libgphoto now also updated in Cauldron. Still waiting for gphoto2 to be pushed.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Patched packages uploaded for Mageia 5. Advisory: ======================== Updated libmtp and libgphoto packages fix security vulnerabilities: An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx function of the ptp-pack.c file of libmtp and libgphoto allows attackers to cause a denial of service (out-of-bounds memory access) or maybe remote code execution by inserting a mobile device into a personal computer through a USB cable (CVE-2017-9831). An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL function) of libmtp and libgphoto allows attackers to cause a denial of service (out-of-bounds memory access) or maybe remote code execution by inserting a mobile device into a personal computer through a USB cable (CVE-2017-9832). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9831 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9832 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LTQ4RARXHHXXKCHPXONGT7HSMAQXNAVM/ ======================== Updated packages in core/updates_testing: ======================== libmtp9-1.1.8-4.1.mga5 libmtp-devel-1.1.8-4.1.mga5 libmtp-doc-1.1.8-4.1.mga5 libmtp-utils-1.1.8-4.1.mga5 libgphoto2_6-2.5.7-1.2.mga5 libgphoto2_port12-2.5.7-1.2.mga5 libgphoto-common-2.5.7-1.2.mga5 libgphoto-devel-2.5.7-1.2.mga5 from SRPMS: libmtp-1.1.8-4.1.mga5.src.rpm libgphoto-2.5.7-1.2.mga5.src.rpm
Assignee: pkg-bugs => qa-bugs
MGA5-32 on Asus A6000VM Xfce No installation issues Found digikam to be dependent on libgphoto2_6. Used strace with digikam, connected Nikon Coolpix S2900, and found multiple calls to libgphoto2.
CC: (none) => herman.viaene
Found trace of libmtp in paying audio CD with clementine.
Whiteboard: (none) => MGA5-32-OK
Whiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => lewyssmith
Thanks yet again, Herman. Validating the update under the temporary "1 OK suffices" policy.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0225.html
Status: NEW => RESOLVEDResolution: (none) => FIXED