Bug#1112213: bookworm-pu: package iperf3/3.12-1+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: iperf3@packages.debian.org
Control: affects -1 + src:iperf3
Hi,
I'm iperf3 maintainer and there are two CVE fixed upstream:
CVE-2025-54349
| In iperf before 3.19.1, iperf_auth.c has an off-by-one error and
| resultant heap-based buffer overflow.
https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66
patch:
https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66.patch
This patch fails to apply but it is easy to do it by hand.
CVE-2025-54350
| In iperf before 3.19.1, iperf_auth.c has a Base64Decode assertion
| failure and application exit upon a malformed authentication
| attempt.
https://github.com/esnet/iperf/commit/de932ea16bc959f839d28d370f0602de52c5def1
patch:
https://github.com/esnet/iperf/commit/de932ea16bc959f839d28d370f0602de52c5def1.patch
This one applies with offset warnings.
Both CVEs will require the SSL authentication, one exploitable before
authentication. This way of using iperf3 is not common enough in my
understanding, so the impact of the bugs is very limited.
I have been emailing with Salvatore Bonaccorso and he thinks (and I
agree) that the fix for bookworm should go to the next point release
instead of releasing a DSA.
I am attaching the debdiff with the changes and I will wait for your
instructions before doing the upload.
Regards,
Roberto
diff -Nru iperf3-3.12/debian/changelog iperf3-3.12/debian/changelog
--- iperf3-3.12/debian/changelog 2023-07-17 10:46:06.000000000 +0200
+++ iperf3-3.12/debian/changelog 2025-08-27 10:17:07.000000000 +0200
@@ -1,3 +1,10 @@
+iperf3 (3.12-1+deb12u2) bookworm-security; urgency=high
+
+ * Fix CVE-2025-54349
+ * Fix CVE-2025-54350
+
+ -- Roberto Lumbreras <rover@debian.org> Wed, 27 Aug 2025 10:17:07 +0200
+
iperf3 (3.12-1+deb12u1) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru iperf3-3.12/debian/patches/CVE-2025-54349.patch iperf3-3.12/debian/patches/CVE-2025-54349.patch
--- iperf3-3.12/debian/patches/CVE-2025-54349.patch 1970-01-01 01:00:00.000000000 +0100
+++ iperf3-3.12/debian/patches/CVE-2025-54349.patch 2025-08-04 22:52:43.000000000 +0200
@@ -0,0 +1,59 @@
+From: Sarah Larsen <swlarsen@es.net>
+Date: Wed, 25 Jun 2025 15:11:03 +0000
+Subject: [PATCH] Fix off-by-one heap overflow in auth.
+Description:
+ Reported by Han Lee (Apple Information Security)
+ CVE-2025-54349
+
+Index: iperf3-3.12/src/iperf_auth.c
+===================================================================
+--- iperf3-3.12.orig/src/iperf_auth.c 2025-08-04 22:39:57.327278650 +0200
++++ iperf3-3.12/src/iperf_auth.c 2025-08-04 22:48:11.000000000 +0200
+@@ -262,7 +262,8 @@
+
+ keysize = RSA_size(rsa);
+ rsa_buffer = OPENSSL_malloc(keysize * 2);
+- *plaintext = (unsigned char*)OPENSSL_malloc(keysize);
++ // Note: +1 for NULL
++ *plaintext = (unsigned char*)OPENSSL_malloc(keysize + 1);
+
+ BIO *bioBuff = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len);
+ rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
+@@ -272,7 +273,7 @@
+ OPENSSL_free(rsa_buffer);
+ BIO_free(bioBuff);
+
+- if (plaintext_len < 0) {
++ if (plaintext_len <= 0) {
+ /* We probably shouldn't be printing stuff like this */
+ fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL));
+ }
+@@ -318,7 +319,7 @@
+ int plaintext_len;
+ plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext);
+ free(encrypted_b64);
+- if (plaintext_len < 0) {
++ if (plaintext_len <= 0) {
+ return -1;
+ }
+ plaintext[plaintext_len] = '\0';
+@@ -326,16 +327,19 @@
+ char *s_username, *s_password;
+ s_username = (char *) calloc(plaintext_len, sizeof(char));
+ if (s_username == NULL) {
++ OPENSSL_free(plaintext);
+ return -1;
+ }
+ s_password = (char *) calloc(plaintext_len, sizeof(char));
+ if (s_password == NULL) {
++ OPENSSL_free(plaintext);
+ free(s_username);
+ return -1;
+ }
+
+ int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, &utc_seconds);
+ if (rc != 3) {
++ OPENSSL_free(plaintext);
+ free(s_password);
+ free(s_username);
+ return -1;
diff -Nru iperf3-3.12/debian/patches/CVE-2025-54350.patch iperf3-3.12/debian/patches/CVE-2025-54350.patch
--- iperf3-3.12/debian/patches/CVE-2025-54350.patch 1970-01-01 01:00:00.000000000 +0100
+++ iperf3-3.12/debian/patches/CVE-2025-54350.patch 2025-08-04 22:48:04.000000000 +0200
@@ -0,0 +1,28 @@
+From: "Bruce A. Mah" <bmah@es.net>
+Date: Tue, 24 Jun 2025 15:58:21 -0700
+Subject: [PATCH] Prevent crash due to assertion failures on malformed
+ authentication attempt.
+Description:
+ Reported by Han Lee (Apple Information Security)
+ CVE-2025-54350
+
+Index: iperf3-3.12/src/iperf_auth.c
+===================================================================
+--- iperf3-3.12.orig/src/iperf_auth.c 2025-08-04 22:46:07.722191519 +0200
++++ iperf3-3.12/src/iperf_auth.c 2025-08-04 22:46:07.718191530 +0200
+@@ -28,7 +28,6 @@
+ #include "iperf_config.h"
+
+ #include <string.h>
+-#include <assert.h>
+ #include <time.h>
+ #include <sys/types.h>
+ /* FreeBSD needs _WITH_GETLINE to enable the getline() declaration */
+@@ -150,7 +149,6 @@
+
+ BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); //Do not use newlines to flush buffer
+ *length = BIO_read(bio, *buffer, strlen(b64message));
+- assert(*length == decodeLen); //length should equal decodeLen, else something went horribly wrong
+ BIO_free_all(bio);
+
+ return (0); //success
diff -Nru iperf3-3.12/debian/patches/series iperf3-3.12/debian/patches/series
--- iperf3-3.12/debian/patches/series 2023-07-17 10:46:01.000000000 +0200
+++ iperf3-3.12/debian/patches/series 2025-08-04 22:45:56.000000000 +0200
@@ -1,2 +1,4 @@
03-sctp.patch
0001-Fix-memory-allocation-hazard-1542-.-1543.patch
+CVE-2025-54349.patch
+CVE-2025-54350.patch
Reply to: