From 981d97fc9c972f43f0119272d9ca83348aeb1da7 Mon Sep 17 00:00:00 2001 From: yujingbo Date: Sun, 3 Aug 2025 21:52:15 +0800 Subject: [PATCH] Fix CVE-2025-54349 CVE-2025-54350 (cherry picked from commit 9b3a76b3fbd5473cb922e6bfd0003e78e5583d47) --- CVE-2025-54349.patch | 90 ++++++++++++++++++++++++++++++++++++++++++++ CVE-2025-54350.patch | 32 ++++++++++++++++ iperf3.spec | 7 +++- 3 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-54349.patch create mode 100644 CVE-2025-54350.patch diff --git a/CVE-2025-54349.patch b/CVE-2025-54349.patch new file mode 100644 index 0000000..268a0fd --- /dev/null +++ b/CVE-2025-54349.patch @@ -0,0 +1,90 @@ +From 4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf Mon Sep 17 00:00:00 2001 +From: Sarah Larsen +Date: Wed, 25 Jun 2025 15:11:03 +0000 +Subject: [PATCH] Fix off-by-one heap overflow in auth. + +Reported by Han Lee (Apple Information Security) +CVE-2025-54349 +--- + src/iperf_auth.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/iperf_auth.c b/src/iperf_auth.c +index b9f2bc0f2..632f03d24 100644 +--- a/src/iperf_auth.c ++++ b/src/iperf_auth.c +@@ -286,6 +286,7 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch + } + + int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext, int use_pkcs1_padding) { ++ int ret =0; + #if OPENSSL_VERSION_MAJOR >= 3 + EVP_PKEY_CTX *ctx; + #else +@@ -308,7 +309,8 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt + keysize = RSA_size(rsa); + #endif + rsa_buffer = OPENSSL_malloc(keysize * 2); +- *plaintext = (unsigned char*)OPENSSL_malloc(keysize); ++ // Note: +1 for NULL ++ *plaintext = (unsigned char*)OPENSSL_malloc(keysize + 1); + + BIO *bioBuff = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len); + rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2); +@@ -318,13 +320,15 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt + padding = RSA_PKCS1_PADDING; + } + #if OPENSSL_VERSION_MAJOR >= 3 ++ + plaintext_len = keysize; + EVP_PKEY_decrypt_init(ctx); +- int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding); ++ ++ ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding); + if (ret < 0){ + goto errreturn; + } +- EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len); ++ ret = EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len); + EVP_PKEY_CTX_free(ctx); + #else + plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding); +@@ -335,7 +339,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt + BIO_free(bioBuff); + + /* Treat a decryption error as an empty string. */ +- if (plaintext_len < 0) { ++ if (plaintext_len <= 0) { + plaintext_len = 0; + } + +@@ -384,24 +388,28 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva + int plaintext_len; + plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding); + free(encrypted_b64); +- if (plaintext_len < 0) { ++ if (plaintext_len <= 0) { + return -1; + } ++ + plaintext[plaintext_len] = '\0'; + + char *s_username, *s_password; + s_username = (char *) calloc(plaintext_len, sizeof(char)); + if (s_username == NULL) { ++ OPENSSL_free(plaintext); + return -1; + } + s_password = (char *) calloc(plaintext_len, sizeof(char)); + if (s_password == NULL) { ++ OPENSSL_free(plaintext); + free(s_username); + return -1; + } + + int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, &utc_seconds); + if (rc != 3) { ++ OPENSSL_free(plaintext); + free(s_password); + free(s_username); + return -1; diff --git a/CVE-2025-54350.patch b/CVE-2025-54350.patch new file mode 100644 index 0000000..e385eb6 --- /dev/null +++ b/CVE-2025-54350.patch @@ -0,0 +1,32 @@ +From 4eab661da0bbaac04493fa40164e928c6df7934a Mon Sep 17 00:00:00 2001 +From: "Bruce A. Mah" +Date: Tue, 24 Jun 2025 15:58:21 -0700 +Subject: [PATCH] Prevent crash due to assertion failures on malformed + authentication attempt. + +Reported by Han Lee (Apple Information Security) +CVE-2025-54350 +--- + src/iperf_auth.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/iperf_auth.c b/src/iperf_auth.c +index 72e85fc9a..b9f2bc0f2 100644 +--- a/src/iperf_auth.c ++++ b/src/iperf_auth.c +@@ -28,7 +28,6 @@ + #include "iperf_config.h" + + #include +-#include + #include + #include + /* FreeBSD needs _WITH_GETLINE to enable the getline() declaration */ +@@ -152,7 +151,6 @@ int Base64Decode(const char* b64message, unsigned char** buffer, size_t* length) + + BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); //Do not use newlines to flush buffer + *length = BIO_read(bio, *buffer, strlen(b64message)); +- assert(*length == decodeLen); //length should equal decodeLen, else something went horribly wrong + BIO_free_all(bio); + + return (0); //success diff --git a/iperf3.spec b/iperf3.spec index be4d688..1f25409 100644 --- a/iperf3.spec +++ b/iperf3.spec @@ -1,10 +1,12 @@ Name: iperf3 Version: 3.18 -Release: 1 +Release: 2 Summary: TCP,UDP,and SCTP network bandwidth measurement tool License: BSD-3-Clause URL: https://github.com/esnet/iperf Source0: https://github.com/esnet/iperf/archive/%{version}/iperf-%{version}.tar.gz +Patch0: CVE-2025-54349.patch +Patch1: CVE-2025-54350.patch BuildRequires: libuuid-devel gcc lksctp-tools-devel Requires: lksctp-tools @@ -55,6 +57,9 @@ mkdir -p %{buildroot}%{_mandir}/man1 %{_mandir}/man3/libiperf.3.gz %changelog +* Mon Aug 4 2025 yujingbo - 3.18-2 +* Fix CVE-2025-54349 CVE-2025-54350.patch + * Mon Dec 23 2024 yaoxin - 3.18-1 - Update to 3.18 for fix CVE-2024-53580 -- Gitee