libgphoto2 Out-of-Bounds Read Vulnerability in PTP ObjectInfo Parsing

A moderate out-of-bounds read vulnerability has been identified in libgphoto2 versions through 2.5.33. The issue resides in the PTP unpacking function, ptp_unpack_OI(), within the file camlibs/ptp2/ptp-pack.c, specifically lines 530 to 563. The vulnerability arises because the function improperly validates the length of PTP ObjectInfo responses. It checks that the length is less than the expected sequence number but then accesses memory offsets beyond this validated boundary. This flaw can be exploited by a malicious USB device or a rogue PTP/IP network endpoint, potentially leading to unauthorized memory access and disclosure of adjacent heap memory contents.

Impact

Exploitation of this vulnerability allows for heap memory disclosure by accessing adjacent buffer contents from PTP response buffers, which are considered untrusted data from USB/PTP-IP devices. This could lead to memory corruption, as acknowledged by the libgphoto2 project's security guidelines.

Reproduction

The vulnerability can be reproduced by connecting a malicious USB device that sends a crafted PTP ObjectInfo response with a length less than 57 bytes. On a Linux system with GNOME, this will trigger an automatic response from libgphoto2, without any user interaction, during file listing operations on the PTP device.

Remediation

Users can update to the patched version of libgphoto2, which is available in the official repositories of Ubuntu and Fedora.