libgphoto2 Missing Null Terminator Vulnerability in Canon PTP Unpacking Function

A vulnerability exists in libgphoto2 versions through 2.5.33, where the PTP unpacking function for Canon folder entries fails to properly null-terminate filenames copied into a 13-byte buffer. This oversight allows for out-of-bounds reads in subsequent string operations, potentially leading to undefined behavior. The issue arises when a device sends a 13-byte filename without a null terminator, leaving the buffer unterminated.

Impact

Exploitation of this vulnerability allows a malicious Canon USB device to send a crafted folder entry with an unterminated filename, causing out-of-bounds reads in subsequent string operations on the filename buffer.

Reproduction

The vulnerability can be reproduced by sending a 13-byte filename without a null terminator from a Canon USB device to a system running an affected version of libgphoto2. The PTP unpacking function 'ptp_unpack_Canon_FE' will process the filename, leading to out-of-bounds reads due to the missing null termination.

Remediation

Users can manually apply the suggested fix by modifying the 'ptp_unpack_Canon_FE' function to include the missing null terminator. The patched version is available in the official GitHub repository.