libgphoto2 Unbounded Read Vulnerability in Canon EOS PTP2 Event Handling

A vulnerability exists in libgphoto2 versions through 2.5.33, specifically within the Canon EOS event handling functions of the PTP2 camera library. The functions 'ptp_unpack_EOS_ImageFormat' and 'ptp_unpack_EOS_CustomFuncEx' accept data pointers without corresponding length parameters, leading to unbounded read operations. Although the calling function 'ptp_unpack_EOS_events' has access to the data size, it fails to pass this information, allowing both unpacking functions to read beyond the actual buffer limits. This oversight can result in the disclosure of adjacent heap memory.

Impact

Exploitation of this vulnerability can lead to a heap memory disclosure of up to 1024 bytes, particularly through the 'ptp_unpack_EOS_CustomFuncEx' function, which handles larger read operations. This memory leakage could potentially be exploited to manipulate program behavior or bypass security mechanisms.

Reproduction

The vulnerability can be reproduced by sending a crafted EOS event response from a malicious USB device or a rogue PTP/IP server. The response should include a truncated buffer that the vulnerable functions will read beyond the boundary, exposing adjacent heap memory.

Remediation

Users can update to the latest version of libgphoto2, where this vulnerability has been addressed. Instructions for updating can be found in the libgphoto2 documentation.