Bug#1112214: marked as done (bookworm-pu: package iperf3/3.12-1+deb12u2)

Sat, 06 Sep 2025 04:44:27 -0700 

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id 
<ee4c0876608d99eb3f8b333b556fbd92e7a652eb.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1112195,
regarding bookworm-pu: package iperf3/3.12-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1112195: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112195
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:iperf3
User: [email protected]
Usertags: pu

Hi,

I'm iperf3 maintainer and there are two CVE fixed upstream. Version
3.19.1-1 with the fix is already in unstable and testing, and Adrian Bunk
uploaded the fix for bullseye a few days ago.

This is the fix for bookworm. I have been emailing with Salvatore
Bonaccorso and both agree that DSA are not needed for this issues and
the package can go with the next bookworm point release.

Details below, and debdiff attached. I will wait for your instructions
before doing the upload.


Debian bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110376

CVE-2025-54349
| In iperf before 3.19.1, iperf_auth.c has an off-by-one error and
| resultant heap-based buffer overflow.
https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66
patch:
https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66.patch

This patch fails to apply but it is easy to do it by hand.

CVE-2025-54350
| In iperf before 3.19.1, iperf_auth.c has a Base64Decode assertion
| failure and application exit upon a malformed authentication
| attempt.
https://github.com/esnet/iperf/commit/de932ea16bc959f839d28d370f0602de52c5def1
patch:
https://github.com/esnet/iperf/commit/de932ea16bc959f839d28d370f0602de52c5def1.patch

This one applies with offset warnings.


diff -Nru iperf3-3.12/debian/changelog iperf3-3.12/debian/changelog
--- iperf3-3.12/debian/changelog        2023-07-17 10:46:06.000000000 +0200
+++ iperf3-3.12/debian/changelog        2025-08-27 10:17:07.000000000 +0200
@@ -1,3 +1,10 @@
+iperf3 (3.12-1+deb12u2) bookworm-security; urgency=high
+
+  * Fix CVE-2025-54349
+  * Fix CVE-2025-54350
+
+ -- Roberto Lumbreras <[email protected]>  Wed, 27 Aug 2025 10:17:07 +0200
+
 iperf3 (3.12-1+deb12u1) bookworm-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru iperf3-3.12/debian/patches/CVE-2025-54349.patch 
iperf3-3.12/debian/patches/CVE-2025-54349.patch
--- iperf3-3.12/debian/patches/CVE-2025-54349.patch     1970-01-01 
01:00:00.000000000 +0100
+++ iperf3-3.12/debian/patches/CVE-2025-54349.patch     2025-08-04 
22:52:43.000000000 +0200
@@ -0,0 +1,59 @@
+From: Sarah Larsen <[email protected]>
+Date: Wed, 25 Jun 2025 15:11:03 +0000
+Subject: [PATCH] Fix off-by-one heap overflow in auth.
+Description:
+  Reported by Han Lee (Apple Information Security)
+  CVE-2025-54349
+
+Index: iperf3-3.12/src/iperf_auth.c
+===================================================================
+--- iperf3-3.12.orig/src/iperf_auth.c  2025-08-04 22:39:57.327278650 +0200
++++ iperf3-3.12/src/iperf_auth.c       2025-08-04 22:48:11.000000000 +0200
+@@ -262,7 +262,8 @@
+ 
+     keysize = RSA_size(rsa);
+     rsa_buffer  = OPENSSL_malloc(keysize * 2);
+-    *plaintext = (unsigned char*)OPENSSL_malloc(keysize);
++    // Note: +1 for NULL
++    *plaintext = (unsigned char*)OPENSSL_malloc(keysize + 1);
+ 
+     BIO *bioBuff   = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len);
+     rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
+@@ -272,7 +273,7 @@
+     OPENSSL_free(rsa_buffer);
+     BIO_free(bioBuff);
+ 
+-    if (plaintext_len < 0) {
++    if (plaintext_len <= 0) {
+       /* We probably shouldn't be printing stuff like this */
+       fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL));
+     }
+@@ -318,7 +319,7 @@
+     int plaintext_len;
+     plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, 
private_key, &plaintext);
+     free(encrypted_b64);
+-    if (plaintext_len < 0) {
++    if (plaintext_len <= 0) {
+         return -1;
+     }
+     plaintext[plaintext_len] = '\0';
+@@ -326,16 +327,19 @@
+     char *s_username, *s_password;
+     s_username = (char *) calloc(plaintext_len, sizeof(char));
+     if (s_username == NULL) {
++      OPENSSL_free(plaintext);
+       return -1;
+     }
+     s_password = (char *) calloc(plaintext_len, sizeof(char));
+     if (s_password == NULL) {
++      OPENSSL_free(plaintext);
+       free(s_username);
+       return -1;
+     }
+ 
+     int rc = sscanf((char *) plaintext, auth_text_format, s_username, 
s_password, &utc_seconds);
+     if (rc != 3) {
++      OPENSSL_free(plaintext);
+       free(s_password);
+       free(s_username);
+       return -1;
diff -Nru iperf3-3.12/debian/patches/CVE-2025-54350.patch 
iperf3-3.12/debian/patches/CVE-2025-54350.patch
--- iperf3-3.12/debian/patches/CVE-2025-54350.patch     1970-01-01 
01:00:00.000000000 +0100
+++ iperf3-3.12/debian/patches/CVE-2025-54350.patch     2025-08-04 
22:48:04.000000000 +0200
@@ -0,0 +1,28 @@
+From: "Bruce A. Mah" <[email protected]>
+Date: Tue, 24 Jun 2025 15:58:21 -0700
+Subject: [PATCH] Prevent crash due to assertion failures on malformed
+ authentication attempt.
+Description:
+  Reported by Han Lee (Apple Information Security)
+  CVE-2025-54350
+
+Index: iperf3-3.12/src/iperf_auth.c
+===================================================================
+--- iperf3-3.12.orig/src/iperf_auth.c  2025-08-04 22:46:07.722191519 +0200
++++ iperf3-3.12/src/iperf_auth.c       2025-08-04 22:46:07.718191530 +0200
+@@ -28,7 +28,6 @@
+ #include "iperf_config.h"
+ 
+ #include <string.h>
+-#include <assert.h>
+ #include <time.h>
+ #include <sys/types.h>
+ /* FreeBSD needs _WITH_GETLINE to enable the getline() declaration */
+@@ -150,7 +149,6 @@
+ 
+     BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); //Do not use newlines to 
flush buffer
+     *length = BIO_read(bio, *buffer, strlen(b64message));
+-    assert(*length == decodeLen); //length should equal decodeLen, else 
something went horribly wrong
+     BIO_free_all(bio);
+ 
+     return (0); //success
diff -Nru iperf3-3.12/debian/patches/series iperf3-3.12/debian/patches/series
--- iperf3-3.12/debian/patches/series   2023-07-17 10:46:01.000000000 +0200
+++ iperf3-3.12/debian/patches/series   2025-08-04 22:45:56.000000000 +0200
@@ -1,2 +1,4 @@
 03-sctp.patch
 0001-Fix-memory-allocation-hazard-1542-.-1543.patch
+CVE-2025-54349.patch
+CVE-2025-54350.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---

Reply via email to