Bug#1112195: bookworm-pu: package iperf3/3.12-1+deb12u2

[Roberto Lumbreras <roberto.lumbreras@gmail.com>]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: iperf3@packages.debian.org
Control: affects -1 + src:iperf3
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I'm iperf3 maintainer and there are two CVE fixed upstream. Version 3.19.1-1 with the fix is already in unstable and testing, and Adrian Bunk uploaded the fix for bullseye a few days ago.

I am using my personal email, I am still having problems sending mail from rover@debian.org.

This is the fix for bookworm. I have been emailing with Salvatore Bonaccorso and both agree that DSA are not needed for these issues and the package can go with the next bookworm point release.

Details below, and debdiff attached. I will wait for your instructions before doing the upload.

Debian bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110376

CVE-2025-54349
| In iperf before 3.19.1, iperf_auth.c has an off-by-one error and
| resultant heap-based buffer overflow.
https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66
patch:
https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66.patch
                                             
This patch fails to apply but it is easy to do it by hand.

CVE-2025-54350
| In iperf before 3.19.1, iperf_auth.c has a Base64Decode assertion
| failure and application exit upon a malformed authentication
| attempt.
https://github.com/esnet/iperf/commit/de932ea16bc959f839d28d370f0602de52c5def1
patch:
https://github.com/esnet/iperf/commit/de932ea16bc959f839d28d370f0602de52c5def1.patch
                                          
This one applies with offset warnings.

Regards,

--

Roberto Lumbreras

Debian Developer

rover@debian.org

Attachment: iperf3-bookworm.debdiff
Description: Binary data

Attachment: iperf3-bookworm.debdiff.asc
Description: Binary data