An update for libgphoto2 is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2067 Final 1.0 1.0 2026-04-25 Initial 2026-04-25 2026-04-25 openEuler SA Tool V1.0 2026-04-25 libgphoto2 security update An update for libgphoto2 is now available for openEuler-24.03-LTS is the core of gphoto2 software. It is a portable library which gives access to literally hundreds of digital cameras. Security Fix(es): libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in the ptp_unpack_Canon_FE() function in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation.(CVE-2026-40334) libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the `ptp_unpack_DPV()` function within `camlibs/ptp2/ptp-pack.c` (lines 622–629). When handling UINT128 and INT128 data types, the code advances the buffer offset by `*offset += 16` without verifying that 16 bytes remain in the buffer. The entry check at line 609 only ensures `*offset < total` (at least 1 byte available), leaving up to 15 bytes unvalidated. This could lead to reading beyond the buffer boundary, resulting in a crash or information disclosure. The issue has been patched in commit 433bde9888d70aa726e32744cd751d7dbe94379a.(CVE-2026-40335) libgphoto2 is an open-source library for accessing and controlling cameras. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the `ptp_unpack_Sony_DPD()` function (line 856) within the file `camlibs/ptp2/ptp-pack.c`, specifically in the `PTP_DPFF_Enumeration` case. The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that at least 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` function (line 704) includes this exact check, indicating the omission in the Sony variant was an oversight. An attacker could exploit this vulnerability to read data beyond the bounds of the process memory, potentially leading to information disclosure or application crash.(CVE-2026-40338) libgphoto2 is an open-source library for accessing and controlling cameras. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the `ptp_unpack_Sony_DPD()` function (line 842) within the file `camlibs/ptp2/ptp-pack.c`. The function reads the FormFlag byte via `dtoh8o(data, *poffset)` without performing a prior bounds check. The standard `ptp_unpack_DPD()` function (lines 686–687) correctly validates `*offset + sizeof(uint8_t) > dpdlen` before this same read, but the Sony-specific variant omits this check entirely, potentially allowing read access beyond the allocated buffer.(CVE-2026-40339) libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the `ptp_unpack_OI()` function within `camlibs/ptp2/ptp-pack.c` (lines 530–563). The function validates `len < PTP_oi_SequenceNumber` (i.e., len < 48) but subsequently accesses offsets 48–56, up to 9 bytes beyond the validated boundary, via the Samsung Galaxy 64-bit objectsize detection heuristic. An attacker can exploit this vulnerability by sending a malicious PTP ObjectInfo response, potentially leading to sensitive information disclosure or application crash.(CVE-2026-40340) libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, an out-of-bounds read vulnerability exists in the `ptp_unpack_EOS_FocusInfoEx` function. This vulnerability could be exploited by an attacker to crash libgphoto2 (Denial of Service) when processing input from untrusted USB devices.(CVE-2026-40341) An update for libgphoto2 is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium libgphoto2 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2067 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40334 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40335 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40338 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40339 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40340 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40341 https://nvd.nist.gov/vuln/detail/CVE-2026-40334 https://nvd.nist.gov/vuln/detail/CVE-2026-40335 https://nvd.nist.gov/vuln/detail/CVE-2026-40338 https://nvd.nist.gov/vuln/detail/CVE-2026-40339 https://nvd.nist.gov/vuln/detail/CVE-2026-40340 https://nvd.nist.gov/vuln/detail/CVE-2026-40341 openEuler-24.03-LTS libgphoto2-2.5.31-3.oe2403.aarch64.rpm libgphoto2-debuginfo-2.5.31-3.oe2403.aarch64.rpm libgphoto2-debugsource-2.5.31-3.oe2403.aarch64.rpm libgphoto2-devel-2.5.31-3.oe2403.aarch64.rpm libgphoto2-2.5.31-3.oe2403.src.rpm libgphoto2-2.5.31-3.oe2403.x86_64.rpm libgphoto2-debuginfo-2.5.31-3.oe2403.x86_64.rpm libgphoto2-debugsource-2.5.31-3.oe2403.x86_64.rpm libgphoto2-devel-2.5.31-3.oe2403.x86_64.rpm libgphoto2-help-2.5.31-3.oe2403.noarch.rpm libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in the ptp_unpack_Canon_FE() function in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation. 2026-04-25 CVE-2026-40334 openEuler-24.03-LTS Low 3.5 AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L libgphoto2 security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2067 libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the `ptp_unpack_DPV()` function within `camlibs/ptp2/ptp-pack.c` (lines 622–629). When handling UINT128 and INT128 data types, the code advances the buffer offset by `*offset += 16` without verifying that 16 bytes remain in the buffer. The entry check at line 609 only ensures `*offset < total` (at least 1 byte available), leaving up to 15 bytes unvalidated. This could lead to reading beyond the buffer boundary, resulting in a crash or information disclosure. The issue has been patched in commit 433bde9888d70aa726e32744cd751d7dbe94379a. 2026-04-25 CVE-2026-40335 openEuler-24.03-LTS Medium 5.2 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L libgphoto2 security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2067 libgphoto2 is an open-source library for accessing and controlling cameras. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the `ptp_unpack_Sony_DPD()` function (line 856) within the file `camlibs/ptp2/ptp-pack.c`, specifically in the `PTP_DPFF_Enumeration` case. The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that at least 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` function (line 704) includes this exact check, indicating the omission in the Sony variant was an oversight. An attacker could exploit this vulnerability to read data beyond the bounds of the process memory, potentially leading to information disclosure or application crash. 2026-04-25 CVE-2026-40338 openEuler-24.03-LTS Medium 5.2 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L libgphoto2 security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2067 libgphoto2 is an open-source library for accessing and controlling cameras. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the `ptp_unpack_Sony_DPD()` function (line 842) within the file `camlibs/ptp2/ptp-pack.c`. The function reads the FormFlag byte via `dtoh8o(data, *poffset)` without performing a prior bounds check. The standard `ptp_unpack_DPD()` function (lines 686–687) correctly validates `*offset + sizeof(uint8_t) > dpdlen` before this same read, but the Sony-specific variant omits this check entirely, potentially allowing read access beyond the allocated buffer. 2026-04-25 CVE-2026-40339 openEuler-24.03-LTS Medium 5.2 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L libgphoto2 security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2067 libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the `ptp_unpack_OI()` function within `camlibs/ptp2/ptp-pack.c` (lines 530–563). The function validates `len < PTP_oi_SequenceNumber` (i.e., len < 48) but subsequently accesses offsets 48–56, up to 9 bytes beyond the validated boundary, via the Samsung Galaxy 64-bit objectsize detection heuristic. An attacker can exploit this vulnerability by sending a malicious PTP ObjectInfo response, potentially leading to sensitive information disclosure or application crash. 2026-04-25 CVE-2026-40340 openEuler-24.03-LTS Medium 6.1 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H libgphoto2 security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2067 libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, an out-of-bounds read vulnerability exists in the `ptp_unpack_EOS_FocusInfoEx` function. This vulnerability could be exploited by an attacker to crash libgphoto2 (Denial of Service) when processing input from untrusted USB devices. 2026-04-25 CVE-2026-40341 openEuler-24.03-LTS Low 3.5 AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L libgphoto2 security update 2026-04-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2067