DLA 2169-1: libmtp security update
Package : libmtp
Version : 1.1.8-1+deb8u1
CVE ID : CVE-2017-9831 CVE-2017-9832
libmtp is a library for communicating with MTP aware devices. The Media
Transfer Protocol (commonly referred to as MTP) is a devised set of custom
extensions to support the transfer of music files on USB digital audio players
and movie files on USB portable media players.
CVE-2017-9831
An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx
function of the ptp-pack.c file allows attackers to cause a denial of
service (out-of-bounds memory access) or maybe remote code execution by
inserting a mobile device into a personal computer through a USB cable.
CVE-2017-9832
An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL function)
allows attackers to cause a denial of service (out-of-bounds memory
access) or maybe remote code execution by inserting a mobile device into
a personal computer through a USB cable.
For Debian 8 "Jessie", these problems have been fixed in version
1.1.8-1+deb8u1.
We recommend that you upgrade your libmtp packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
A libmtp security update has been released for Debian GNU/Linux 8 LTS to address two integer overflow vulnerabilities.
