Hi all,
I have prepared an update for libmtp to fix CVE-2017-9831 and CVE-2017-9832.
* CVE-2017-9831:
An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx
function of the ptp-pack.c file allows attackers to cause a denial of
service (out-of-bounds memory access) or maybe remote code execution by
inserting a mobile device into a personal computer through a USB cable.
* CVE-2017-9832:
An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL function)
allows attackers to cause a denial of service (out-of-bounds memory
access) or maybe remote code execution by inserting a mobile device into
a personal computer through a USB cable.
The patch is quite similar (and quite big) to the one prepared by
Antoine Beaupré for wheezy (DLA-1029) [1-3]. I have tested the package
in a VM, but it would be better to test it with a real machine with
Jessie and USB devices supporting the MTP transfer protocol (like all
andro** phones).
The signed packages are available here:
> https://people.debian.org/~daissi/jessie-lts/
If nobody reports a regression, I plan to upload this fix in 1 week
(Saturday, 4th April).
Best,
Dylan
[1] https://lists.debian.org/debian-lts/2017/07/msg00047.html
[2] https://www.debian.org/lts/security/2017/dla-1029
[3] https://salsa.debian.org/debian/libmtp/-/commit/88979a49ed
