Debian 10261 Published by

A libmtp security update has been released for Debian GNU/Linux 8 LTS to address two integer overflow vulnerabilities.



DLA 2169-1: libmtp security update

Package : libmtp
Version : 1.1.8-1+deb8u1
CVE ID : CVE-2017-9831 CVE-2017-9832

libmtp is a library for communicating with MTP aware devices. The Media
Transfer Protocol (commonly referred to as MTP) is a devised set of custom
extensions to support the transfer of music files on USB digital audio players
and movie files on USB portable media players.

CVE-2017-9831

An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx
function of the ptp-pack.c file allows attackers to cause a denial of
service (out-of-bounds memory access) or maybe remote code execution by
inserting a mobile device into a personal computer through a USB cable.

CVE-2017-9832

An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL function)
allows attackers to cause a denial of service (out-of-bounds memory
access) or maybe remote code execution by inserting a mobile device into
a personal computer through a USB cable.

For Debian 8 "Jessie", these problems have been fixed in version
1.1.8-1+deb8u1.

We recommend that you upgrade your libmtp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS