[SECURITY] [DLA 2169-1] libmtp security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2169-1] libmtp security update
From: Dylan Aïssi <daissi@debian.org>
Date: Sun, 5 Apr 2020 16:48:23 +0200
Message-id: <[🔎] CA+6XHwT=9g3SGX4f62BJOrVnZqnzp28RPu2=nWnamJRVTLDY0g@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libmtp
Version        : 1.1.8-1+deb8u1
CVE ID         : CVE-2017-9831 CVE-2017-9832


libmtp is a library for communicating with MTP aware devices. The Media
Transfer Protocol (commonly referred to as MTP) is a devised set of custom
extensions to support the transfer of music files on USB digital audio players
and movie files on USB portable media players.

CVE-2017-9831

    An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx
    function of the ptp-pack.c file allows attackers to cause a denial of
    service (out-of-bounds memory access) or maybe remote code execution by
    inserting a mobile device into a personal computer through a USB cable.

CVE-2017-9832

    An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL function)
    allows attackers to cause a denial of service (out-of-bounds memory
    access) or maybe remote code execution by inserting a mobile device into
    a personal computer through a USB cable.

For Debian 8 "Jessie", these problems have been fixed in version
1.1.8-1+deb8u1.

We recommend that you upgrade your libmtp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAl6J5EgACgkQYS7xYT4F
D1Soew//Uq886JHbpAlKnudu/SMh0qI4yNZvRKAJtJq9OlyQmmjz68G1q0ffJ841
IOsgXBxOCilA/bviNG13t69z9xCaevwXkjaiYGl3JUeHhfxtl98xSKBr+77Gqxkp
C/EnFj9KckynUTJuKBDOeleMyzq57Y9qsMBGJKQ0rYZWrKKi4QaZ/Myy/br024gl
RVdmrI+TCGYdJpZqcd+tO9Dm35PVpm4gXYKc/xsQ1XI7J1RnUfW+VbrRuoZdCBRQ
C27P8YV4171XeIymhKOHUwVRIqDvUVq+XpLYt3jLttu9iki6H8vmoAEZUtJ9lPex
gq6nDp1JezkjoAhNEXI1288E6iALmPKy14XUVayKpnh5oBDsaU1iCoW46z7Ez/qo
fWOuf4jowIIS9RR/wnP928DNeTCD8ahTOZk6sP5iqdcaIdSFp/kdeHJYifzAsdON
7X/eb5BXQPgICWz6Ce4wZCVEk7gxr4flrFekH7EGRwPwcpzKw2zhXbfDo32pZWBC
JBKVNkyA9jatDy/vzNvYVYHMNmxXueFzTkcAIx/sDfc0Gjw81Cz2N0n5axXOWQXu
WtG7ydw5el1Cth3k+4JkVmcfFNPrYjHaoyAtqjsVjewhwwdEvovyFclIfzHtYJMx
fsBhwx+b1Mu538YDzlv6mlmWsearpabc6MzS7yrbXor7N7jxuYg=
=9844
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2168-1] libplist security update
Next by Date: [SECURITY] [DLA 2170-1] firefox-esr security update
Previous by thread: [SECURITY] [DLA 2168-1] libplist security update
Next by thread: [SECURITY] [DLA 2170-1] firefox-esr security update
Index(es):
- Date
- Thread