Bug#1134329: libgphoto2: CVE-2026-40333 CVE-2026-40334 CVE-2026-40335 CVE-2026-40336 CVE-2026-40338 CVE-2026-40339 CVE-2026-40340 CVE-2026-40341
Salvatore Bonaccorso
carnil at debian.org
Sat Apr 18 19:32:03 BST 2026
Source: libgphoto2
Version: 2.5.33-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for libgphoto2.
CVE-2026-40333[0]:
| libgphoto2 is a camera access and control library. In versions up to
| and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c
| accept a data pointer but no length parameter, performing unbounded
| reads. Their callers in ptp_unpack_EOS_events() have xsize available
| but never pass it, leaving both functions unable to validate reads
| against the actual buffer boundary. Commit
| 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue.
CVE-2026-40334[1]:
| libgphoto2 is a camera access and control library. In versions up to
| and including 2.5.33, a missing null terminator exists in
| ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The
| function copies a filename into a 13-byte buffer using strncpy
| without explicitly null-terminating the result. If the source data
| is exactly 13 bytes with no null terminator, the buffer is left
| unterminated, leading to out-of-bounds reads in any subsequent
| string operation. Commit 259fc7d3bfe534ce4b114c464f55b448670ab873
| patches the issue.
CVE-2026-40335[2]:
| libgphoto2 is a camera access and control library. Versions up to
| and including 2.5.33 have an out-of-bounds read in
| `ptp_unpack_DPV()` in `camlibs/ptp2/ptp-pack.c` (lines 622–629). The
| UINT128 and INT128 cases advance `*offset += 16` without verifying
| that 16 bytes remain in the buffer. The entry check at line 609 only
| guarantees `*offset < total` (at least 1 byte available), leaving up
| to 15 bytes unvalidated. Commit
| 433bde9888d70aa726e32744cd751d7dbe94379a patches the issue.
CVE-2026-40336[3]:
| libgphoto2 is a camera access and control library. Versions up to
| and including 2.5.33 have a memory leak in `ptp_unpack_Sony_DPD()`
| in `camlibs/ptp2/ptp-pack.c` (lines 884–885). When processing a
| secondary enumeration list (introduced in 2024+ Sony cameras), the
| function overwrites dpd->FORM.Enum.SupportedValue with a new
| calloc() without freeing the previous allocation from line 857. The
| original array and any string values it contains are leaked on every
| property descriptor parse. Commit
| 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the issue.
CVE-2026-40338[4]:
| libgphoto2 is a camera access and control library. Versions up to
| and including 2.5.33 have an out-of-bounds read in the
| PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in
| `camlibs/ptp2/ptp-pack.c` (line 856). The function reads a 2-byte
| enumeration count N via `dtoh16o(data, *poffset)` without verifying
| that 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()`
| at line 704 has this exact check, confirming the Sony variant
| omitted it by oversight. Commit
| 3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue.
CVE-2026-40339[5]:
| libgphoto2 is a camera access and control library. Versions up to
| and including 2.5.33 have an out-of-bounds read in
| `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 842). The
| function reads the FormFlag byte via `dtoh8o(data, *poffset)`
| without a prior bounds check. The standard `ptp_unpack_DPD()` at
| lines 686–687 correctly validates `*offset + sizeof(uint8_t) >
| dpdlen` before this same read, but the Sony variant omits this check
| entirely. Commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d fixes the
| issue.
CVE-2026-40340[6]:
| libgphoto2 is a camera access and control library. Versions up to
| and including 2.5.33 have an out-of-bounds read vulnerability in
| `ptp_unpack_OI()` in `camlibs/ptp2/ptp-pack.c` (lines 530–563). The
| function validates `len < PTP_oi_SequenceNumber` (i.e., len < 48)
| but subsequently accesses offsets 48–56, up to 9 bytes beyond the
| validated boundary, via the Samsung Galaxy 64-bit objectsize
| detection heuristic. Commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33
| fixes the issue.
CVE-2026-40341[7]:
| libgphoto2 is a camera access and control library. In versions up to
| and including 2.5.33, an out of bound read in
| ptp_unpack_EOS_FocusInfoEx could be used to crash libgphoto2 when
| processing input from untrusted USB devices. Commit
| c385b34af260595dfbb5f9329526be5158985987 contains a patch. No known
| workarounds are available.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40333
https://www.cve.org/CVERecord?id=CVE-2026-40333
[1] https://security-tracker.debian.org/tracker/CVE-2026-40334
https://www.cve.org/CVERecord?id=CVE-2026-40334
[2] https://security-tracker.debian.org/tracker/CVE-2026-40335
https://www.cve.org/CVERecord?id=CVE-2026-40335
[3] https://security-tracker.debian.org/tracker/CVE-2026-40336
https://www.cve.org/CVERecord?id=CVE-2026-40336
[4] https://security-tracker.debian.org/tracker/CVE-2026-40338
https://www.cve.org/CVERecord?id=CVE-2026-40338
[5] https://security-tracker.debian.org/tracker/CVE-2026-40339
https://www.cve.org/CVERecord?id=CVE-2026-40339
[6] https://security-tracker.debian.org/tracker/CVE-2026-40340
https://www.cve.org/CVERecord?id=CVE-2026-40340
[7] https://security-tracker.debian.org/tracker/CVE-2026-40341
https://www.cve.org/CVERecord?id=CVE-2026-40341
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-phototools-devel
mailing list