libgphoto2 Out-of-Bounds Read Vulnerability in Sony PTP Device Property Enumeration
Vulnerability
A moderate out-of-bounds read vulnerability has been identified in libgphoto2 versions through 2.5.33. The issue occurs in the PTP_DPFF_Enumeration case of the ptp_unpack_Sony_DPD() function, located in camlibs/ptp2/ptp-pack.c, line 856. The vulnerability arises because the function reads a 2-byte enumeration count without verifying that sufficient bytes remain in the buffer, allowing for potential heap memory disclosure.
Impact
Exploitation of this vulnerability leads to the disclosure of two bytes of adjacent heap memory during property enumeration on Sony devices, creating a potential information leak.
Reproduction
The vulnerability can be reproduced by sending a crafted Sony Device Property Descriptor with FormFlag set to PTP_DPFF_Enumeration and a truncated buffer from a rogue PTP/IP server or malicious USB device. This causes the host to read beyond the buffer boundary when parsing the enumeration count, exposing adjacent heap memory.
Remediation
Users can update to the patched version of libgphoto2, which is available on the official GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.