iperf3: Fix CVE-2025-54349

This commit fix heap overflow for iperf3 package Reference: https://github.com/esnet/iperf/commit/4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Nitin Wankhade <nitin.wankhade333@gmail.com> 2025-09-23 10:24:54 +0530
committer: Khem Raj <raj.khem@gmail.com> 2025-09-23 07:38:37 -0700
commit: 7b0f35312824365e4a9b5350858d4cc41ef0688d (patch)
tree: eb477e17e6a653db4e3d09e3c4855d56da0c1c45
parent: e3fc979b653de406eab020eb9f5c814ba64b30dd (diff)
download: meta-openembedded-7b0f35312824365e4a9b5350858d4cc41ef0688d.tar.gz
2 files changed, 82 insertions, 1 deletions
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch
new file mode 100644
index 0000000000..61e1888685
--- /dev/null
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch
@@ -0,0 +1,80 @@
+Subject: [PATCH] iperf3: Fix CVE-2025-54349
+CVE: CVE-2025-54349
+Upstream-Status: Backport [https://github.com/esnet/iperf/commit/4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf]
+Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
+---
+diff --git a/iperf_auth.c b/iperf_auth.c
+index 72e85fc..91c4133 100644
+--- a/src/iperf_auth.c
+++ b/src/iperf_auth.c
+@@ -288,6 +288,7 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch
+ }
+ 
+ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext, int use_pkcs1_padding) {
+    int ret =0;        
+ #if OPENSSL_VERSION_MAJOR >= 3
+     EVP_PKEY_CTX *ctx;
+ #else
+@@ -310,7 +311,8 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
+     keysize = RSA_size(rsa);
+ #endif
+     rsa_buffer  = OPENSSL_malloc(keysize * 2);
+-    *plaintext = (unsigned char*)OPENSSL_malloc(keysize);
+    // Note: +1 for NULL
+    *plaintext = (unsigned char*)OPENSSL_malloc(keysize + 1);
+ 
+     BIO *bioBuff   = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len);
+     rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
+@@ -322,11 +324,12 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
+ #if OPENSSL_VERSION_MAJOR >= 3
+     plaintext_len = keysize;
+     EVP_PKEY_decrypt_init(ctx);
+-    int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
+
+    ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
+     if (ret < 0){
+         goto errreturn;
+     }
+-    EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
+    ret = EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
+     EVP_PKEY_CTX_free(ctx);
+ #else
+     plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding);
+@@ -337,7 +340,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
+     BIO_free(bioBuff);
+ 
+     /* Treat a decryption error as an empty string. */
+-    if (plaintext_len < 0) {
+    if (plaintext_len <= 0) {
+         plaintext_len = 0;
+     }
+ 
+@@ -386,7 +389,7 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva
+     int plaintext_len;
+     plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding);
+     free(encrypted_b64);
+-    if (plaintext_len < 0) {
+    if (plaintext_len <= 0) {
+         return -1;
+     }
+     plaintext[plaintext_len] = '\0';
+@@ -394,16 +397,19 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva
+     char *s_username, *s_password;
+     s_username = (char *) calloc(plaintext_len, sizeof(char));
+     if (s_username == NULL) {
+       OPENSSL_free(plaintext);
+        return -1;
+     }
+     s_password = (char *) calloc(plaintext_len, sizeof(char));
+     if (s_password == NULL) {
+       OPENSSL_free(plaintext);
+        free(s_username);
+        return -1;
+     }
+ 
+     int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, &utc_seconds);
+     if (rc != 3) {
+       OPENSSL_free(plaintext);
+        free(s_password);
+        free(s_username);
+        return -1;
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
index 08f29937c0..265611e533 100644
--- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
@@ -16,7 +16,8 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
           file://0002-Remove-pg-from-profile_CFLAGS.patch \
           file://0001-configure.ac-check-for-CPP-prog.patch \
           file://0001-fix-build-with-gcc-15.patch \
-           "
+           file://CVE-2025-54349.patch \
+          "
 SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c"
author	Nitin Wankhade <nitin.wankhade333@gmail.com>	2025-09-23 10:24:54 +0530
committer	Khem Raj <raj.khem@gmail.com>	2025-09-23 07:38:37 -0700
commit	7b0f35312824365e4a9b5350858d4cc41ef0688d (patch)
tree	eb477e17e6a653db4e3d09e3c4855d56da0c1c45
parent	e3fc979b653de406eab020eb9f5c814ba64b30dd (diff)
download	meta-openembedded-7b0f35312824365e4a9b5350858d4cc41ef0688d.tar.gz

diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch new file mode 100644 index 0000000000..61e1888685 --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch
@@ -0,0 +1,80 @@
		1	Subject: [PATCH] iperf3: Fix CVE-2025-54349
		2	CVE: CVE-2025-54349
		3	Upstream-Status: Backport [https://github.com/esnet/iperf/commit/4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf]
		4	Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
		5	---
		6	diff --git a/iperf_auth.c b/iperf_auth.c
		7	index 72e85fc..91c4133 100644
		8	--- a/src/iperf_auth.c
		9	+++ b/src/iperf_auth.c
		10	@@ -288,6 +288,7 @@ int encrypt_rsa_message(const char plaintext, EVP_PKEY public_key, unsigned ch
		11	}
		12
		13	int decrypt_rsa_message(const unsigned char encryptedtext, const int encryptedtext_len, EVP_PKEY private_key, unsigned char **plaintext, int use_pkcs1_padding) {
		14	+ int ret =0;
		15	#if OPENSSL_VERSION_MAJOR >= 3
		16	EVP_PKEY_CTX *ctx;
		17	#else
		18	@@ -310,7 +311,8 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
		19	keysize = RSA_size(rsa);
		20	#endif
		21	rsa_buffer = OPENSSL_malloc(keysize * 2);
		22	- plaintext = (unsigned char)OPENSSL_malloc(keysize);
		23	+ // Note: +1 for NULL
		24	+ plaintext = (unsigned char)OPENSSL_malloc(keysize + 1);
		25
		26	BIO bioBuff = BIO_new_mem_buf((void)encryptedtext, encryptedtext_len);
		27	rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
		28	@@ -322,11 +324,12 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
		29	#if OPENSSL_VERSION_MAJOR >= 3
		30	plaintext_len = keysize;
		31	EVP_PKEY_decrypt_init(ctx);
		32	- int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
		33	+
		34	+ ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
		35	if (ret < 0){
		36	goto errreturn;
		37	}
		38	- EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
		39	+ ret = EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
		40	EVP_PKEY_CTX_free(ctx);
		41	#else
		42	plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding);
		43	@@ -337,7 +340,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
		44	BIO_free(bioBuff);
		45
		46	/* Treat a decryption error as an empty string. */
		47	- if (plaintext_len < 0) {
		48	+ if (plaintext_len <= 0) {
		49	plaintext_len = 0;
		50	}
		51
		52	@@ -386,7 +389,7 @@ int decode_auth_setting(int enable_debug, const char authtoken, EVP_PKEY priva
		53	int plaintext_len;
		54	plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding);
		55	free(encrypted_b64);
		56	- if (plaintext_len < 0) {
		57	+ if (plaintext_len <= 0) {
		58	return -1;
		59	}
		60	plaintext[plaintext_len] = '\0';
		61	@@ -394,16 +397,19 @@ int decode_auth_setting(int enable_debug, const char authtoken, EVP_PKEY priva
		62	char s_username, s_password;
		63	s_username = (char *) calloc(plaintext_len, sizeof(char));
		64	if (s_username == NULL) {
		65	+ OPENSSL_free(plaintext);
		66	return -1;
		67	}
		68	s_password = (char *) calloc(plaintext_len, sizeof(char));
		69	if (s_password == NULL) {
		70	+ OPENSSL_free(plaintext);
		71	free(s_username);
		72	return -1;
		73	}
		74
		75	int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, &utc_seconds);
		76	if (rc != 3) {
		77	+ OPENSSL_free(plaintext);
		78	free(s_password);
		79	free(s_username);
		80	return -1;


diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb index 08f29937c0..265611e533 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
@@ -16,7 +16,8 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
16	file://0002-Remove-pg-from-profile_CFLAGS.patch \	16	file://0002-Remove-pg-from-profile_CFLAGS.patch \
17	file://0001-configure.ac-check-for-CPP-prog.patch \	17	file://0001-configure.ac-check-for-CPP-prog.patch \
18	file://0001-fix-build-with-gcc-15.patch \	18	file://0001-fix-build-with-gcc-15.patch \
19	"	19	file://CVE-2025-54349.patch \
		20	"
20		21
21	SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c"	22	SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c"
22		23