iperf3: Fix CVE-2025-54349

Pick commit [1] as listed in [2]. [1] https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-54349 Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Jinfeng Wang <jinfeng.wang.cn@windriver.com> 2025-08-12 14:35:41 +0800
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-09-06 16:17:42 +0200
commit: ddaf16f1ca3027dbc3981b55e5cfc586ac5514be (patch)
tree: f27ac3cbae536c571921f9b6528ef2b9180105e1
parent: eb81fa08800b06d5b4e9da2324e1325ea7716603 (diff)
download: meta-openembedded-ddaf16f1ca3027dbc3981b55e5cfc586ac5514be.tar.gz
2 files changed, 99 insertions, 0 deletions
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch
new file mode 100644
index 0000000000..fbba42b04b
--- /dev/null
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch
@@ -0,0 +1,98 @@
+From 505181fd31501027460eb518d7e4d46498e048f5 Mon Sep 17 00:00:00 2001
+From: Sarah Larsen <swlarsen@es.net>
+Date: Wed, 25 Jun 2025 15:11:03 +0000
+Subject: [PATCH] Fix off-by-one heap overflow in auth.
+Reported by Han Lee (Apple Information Security)
+CVE-2025-54349
+CVE: CVE-2025-54349
+Upstream-Status: Backport [https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66]
+Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
+---
+ src/iperf_auth.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+diff --git a/src/iperf_auth.c b/src/iperf_auth.c
+index 72e85fc..86b4eba 100644
+--- a/src/iperf_auth.c
+++ b/src/iperf_auth.c
+@@ -288,6 +288,7 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch
+ }
+ 
+ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext, int use_pkcs1_padding) {
+    int ret =0;
+ #if OPENSSL_VERSION_MAJOR >= 3
+     EVP_PKEY_CTX *ctx;
+ #else
+@@ -310,7 +311,8 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
+     keysize = RSA_size(rsa);
+ #endif
+     rsa_buffer  = OPENSSL_malloc(keysize * 2);
+-    *plaintext = (unsigned char*)OPENSSL_malloc(keysize);
+    // Note: +1 for NULL
+    *plaintext = (unsigned char*)OPENSSL_malloc(keysize + 1);
+ 
+     BIO *bioBuff   = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len);
+     rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
+@@ -320,13 +322,15 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
+         padding = RSA_PKCS1_PADDING;
+     }
+ #if OPENSSL_VERSION_MAJOR >= 3
+
+     plaintext_len = keysize;
+     EVP_PKEY_decrypt_init(ctx);
+-    int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
+
+    ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
+     if (ret < 0){
+         goto errreturn;
+     }
+-    EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
+    ret = EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
+     EVP_PKEY_CTX_free(ctx);
+ #else
+     plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding);
+@@ -337,7 +341,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
+     BIO_free(bioBuff);
+ 
+     /* Treat a decryption error as an empty string. */
+-    if (plaintext_len < 0) {
+    if (plaintext_len <= 0) {
+         plaintext_len = 0;
+     }
+ 
+@@ -386,24 +390,28 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva
+     int plaintext_len;
+     plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding);
+     free(encrypted_b64);
+-    if (plaintext_len < 0) {
+    if (plaintext_len <= 0) {
+         return -1;
+     }
+
+     plaintext[plaintext_len] = '\0';
+ 
+     char *s_username, *s_password;
+     s_username = (char *) calloc(plaintext_len, sizeof(char));
+     if (s_username == NULL) {
+        OPENSSL_free(plaintext);
+        return -1;
+     }
+     s_password = (char *) calloc(plaintext_len, sizeof(char));
+     if (s_password == NULL) {
+        OPENSSL_free(plaintext);
+        free(s_username);
+        return -1;
+     }
+ 
+     int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, &utc_seconds);
+     if (rc != 3) {
+        OPENSSL_free(plaintext);
+        free(s_password);
+        free(s_username);
+        return -1;
+-- 
+2.49.0
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
index 77b441e506..4e9f5f1f46 100644
--- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
           file://0002-Remove-pg-from-profile_CFLAGS.patch \
           file://0001-configure.ac-check-for-CPP-prog.patch \
           file://0001-fix-build-with-gcc-15.patch \
+           file://CVE-2025-54349.patch \
           "
 SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c"
author	Jinfeng Wang <jinfeng.wang.cn@windriver.com>	2025-08-12 14:35:41 +0800
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-09-06 16:17:42 +0200
commit	ddaf16f1ca3027dbc3981b55e5cfc586ac5514be (patch)
tree	f27ac3cbae536c571921f9b6528ef2b9180105e1
parent	eb81fa08800b06d5b4e9da2324e1325ea7716603 (diff)
download	meta-openembedded-ddaf16f1ca3027dbc3981b55e5cfc586ac5514be.tar.gz

diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch new file mode 100644 index 0000000000..fbba42b04b --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch
@@ -0,0 +1,98 @@
		1	From 505181fd31501027460eb518d7e4d46498e048f5 Mon Sep 17 00:00:00 2001
		2	From: Sarah Larsen <swlarsen@es.net>
		3	Date: Wed, 25 Jun 2025 15:11:03 +0000
		4	Subject: [PATCH] Fix off-by-one heap overflow in auth.
		5
		6	Reported by Han Lee (Apple Information Security)
		7	CVE-2025-54349
		8
		9	CVE: CVE-2025-54349
		10	Upstream-Status: Backport [https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66]
		11
		12	Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
		13	---
		14	src/iperf_auth.c \| 18 +++++++++++++-----
		15	1 file changed, 13 insertions(+), 5 deletions(-)
		16
		17	diff --git a/src/iperf_auth.c b/src/iperf_auth.c
		18	index 72e85fc..86b4eba 100644
		19	--- a/src/iperf_auth.c
		20	+++ b/src/iperf_auth.c
		21	@@ -288,6 +288,7 @@ int encrypt_rsa_message(const char plaintext, EVP_PKEY public_key, unsigned ch
		22	}
		23
		24	int decrypt_rsa_message(const unsigned char encryptedtext, const int encryptedtext_len, EVP_PKEY private_key, unsigned char **plaintext, int use_pkcs1_padding) {
		25	+ int ret =0;
		26	#if OPENSSL_VERSION_MAJOR >= 3
		27	EVP_PKEY_CTX *ctx;
		28	#else
		29	@@ -310,7 +311,8 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
		30	keysize = RSA_size(rsa);
		31	#endif
		32	rsa_buffer = OPENSSL_malloc(keysize * 2);
		33	- plaintext = (unsigned char)OPENSSL_malloc(keysize);
		34	+ // Note: +1 for NULL
		35	+ plaintext = (unsigned char)OPENSSL_malloc(keysize + 1);
		36
		37	BIO bioBuff = BIO_new_mem_buf((void)encryptedtext, encryptedtext_len);
		38	rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
		39	@@ -320,13 +322,15 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
		40	padding = RSA_PKCS1_PADDING;
		41	}
		42	#if OPENSSL_VERSION_MAJOR >= 3
		43	+
		44	plaintext_len = keysize;
		45	EVP_PKEY_decrypt_init(ctx);
		46	- int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
		47	+
		48	+ ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
		49	if (ret < 0){
		50	goto errreturn;
		51	}
		52	- EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
		53	+ ret = EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
		54	EVP_PKEY_CTX_free(ctx);
		55	#else
		56	plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding);
		57	@@ -337,7 +341,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
		58	BIO_free(bioBuff);
		59
		60	/* Treat a decryption error as an empty string. */
		61	- if (plaintext_len < 0) {
		62	+ if (plaintext_len <= 0) {
		63	plaintext_len = 0;
		64	}
		65
		66	@@ -386,24 +390,28 @@ int decode_auth_setting(int enable_debug, const char authtoken, EVP_PKEY priva
		67	int plaintext_len;
		68	plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding);
		69	free(encrypted_b64);
		70	- if (plaintext_len < 0) {
		71	+ if (plaintext_len <= 0) {
		72	return -1;
		73	}
		74	+
		75	plaintext[plaintext_len] = '\0';
		76
		77	char s_username, s_password;
		78	s_username = (char *) calloc(plaintext_len, sizeof(char));
		79	if (s_username == NULL) {
		80	+ OPENSSL_free(plaintext);
		81	return -1;
		82	}
		83	s_password = (char *) calloc(plaintext_len, sizeof(char));
		84	if (s_password == NULL) {
		85	+ OPENSSL_free(plaintext);
		86	free(s_username);
		87	return -1;
		88	}
		89
		90	int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, &utc_seconds);
		91	if (rc != 3) {
		92	+ OPENSSL_free(plaintext);
		93	free(s_password);
		94	free(s_username);
		95	return -1;
		96	--
		97	2.49.0
		98


diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb index 77b441e506..4e9f5f1f46 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
16	file://0002-Remove-pg-from-profile_CFLAGS.patch \	16	file://0002-Remove-pg-from-profile_CFLAGS.patch \
17	file://0001-configure.ac-check-for-CPP-prog.patch \	17	file://0001-configure.ac-check-for-CPP-prog.patch \
18	file://0001-fix-build-with-gcc-15.patch \	18	file://0001-fix-build-with-gcc-15.patch \
		19	file://CVE-2025-54349.patch \
19	"	20	"
20		21
21	SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c"	22	SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c"