libgphoto2 Out-of-Bounds Read Vulnerability in Sony DPD Unpacking Function

A moderate out-of-bounds read vulnerability has been identified in libgphoto2 versions through 2.5.33. The issue arises in the ptp_unpack_Sony_DPD() function within camlibs/ptp2/ptp-pack.c, specifically at line 842. This function reads the FormFlag byte using dtoh8o(data, *poffset) without performing a prior bounds check. In contrast, the standard ptp_unpack_DPD() function correctly validates the offset before the read. The vulnerability can be exploited when a rogue PTP/IP server or malicious USB device sends a crafted Device Property Descriptor with a truncated buffer, causing the function to read beyond the buffer boundary and expose adjacent heap memory.

Impact

Exploitation of this vulnerability leads to a heap memory disclosure of one byte per property enumeration, creating a potential information leak.

Reproduction

To reproduce this vulnerability, a PTP/IP server or USB device must be set up to send a crafted Sony Device Property Descriptor that includes a truncated buffer. When the host device enumerates properties, the ptp_unpack_Sony_DPD() function will read beyond the buffer limit, disclosing adjacent heap memory.

Remediation

Users can update to the patched version of libgphoto2, which includes the necessary bounds check in the ptp_unpack_Sony_DPD() function. Instructions for updating can be found in the libgphoto2 repository.