| Message ID | 20250922040301.2149568-1-nitin.wankhade333@gmail.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | [meta-oe,master] iperf3: Fix CVE-2025-54349 | expand |
There are two patches applied to a branch and expected to be in a sequence. Its better to send both the patches as a single series. So the indented order is conveyed as well. On Mon, Sep 22, 2025 at 1:53 AM Nitin Wankhade via lists.openembedded.org <nitin.wankhade333=gmail.com@lists.openembedded.org> wrote: > > This commit fix heap overflow for iperf3 package > > Reference: https://github.com/esnet/iperf/commit/4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf > > Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com> > --- > .../iperf3/iperf3/CVE-2025-54349.patch | 80 +++++++++++++++++++ > .../recipes-benchmark/iperf3/iperf3_3.18.bb | 3 +- > 2 files changed, 82 insertions(+), 1 deletion(-) > create mode 100644 meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch > > diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch > new file mode 100644 > index 0000000000..61e1888685 > --- /dev/null > +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch > @@ -0,0 +1,80 @@ > +Subject: [PATCH] iperf3: Fix CVE-2025-54349 > +CVE: CVE-2025-54349 > +Upstream-Status: Backport [https://github.com/esnet/iperf/commit/4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf] > +Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com> > +--- > +diff --git a/iperf_auth.c b/iperf_auth.c > +index 72e85fc..91c4133 100644 > +--- a/src/iperf_auth.c > ++++ b/src/iperf_auth.c > +@@ -288,6 +288,7 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch > + } > + > + int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext, int use_pkcs1_padding) { > ++ int ret =0; > + #if OPENSSL_VERSION_MAJOR >= 3 > + EVP_PKEY_CTX *ctx; > + #else > +@@ -310,7 +311,8 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt > + keysize = RSA_size(rsa); > + #endif > + rsa_buffer = OPENSSL_malloc(keysize * 2); > +- *plaintext = (unsigned char*)OPENSSL_malloc(keysize); > ++ // Note: +1 for NULL > ++ *plaintext = (unsigned char*)OPENSSL_malloc(keysize + 1); > + > + BIO *bioBuff = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len); > + rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2); > +@@ -322,11 +324,12 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt > + #if OPENSSL_VERSION_MAJOR >= 3 > + plaintext_len = keysize; > + EVP_PKEY_decrypt_init(ctx); > +- int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding); > ++ > ++ ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding); > + if (ret < 0){ > + goto errreturn; > + } > +- EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len); > ++ ret = EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len); > + EVP_PKEY_CTX_free(ctx); > + #else > + plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding); > +@@ -337,7 +340,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt > + BIO_free(bioBuff); > + > + /* Treat a decryption error as an empty string. */ > +- if (plaintext_len < 0) { > ++ if (plaintext_len <= 0) { > + plaintext_len = 0; > + } > + > +@@ -386,7 +389,7 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva > + int plaintext_len; > + plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding); > + free(encrypted_b64); > +- if (plaintext_len < 0) { > ++ if (plaintext_len <= 0) { > + return -1; > + } > + plaintext[plaintext_len] = '\0'; > +@@ -394,16 +397,19 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva > + char *s_username, *s_password; > + s_username = (char *) calloc(plaintext_len, sizeof(char)); > + if (s_username == NULL) { > ++ OPENSSL_free(plaintext); > + return -1; > + } > + s_password = (char *) calloc(plaintext_len, sizeof(char)); > + if (s_password == NULL) { > ++ OPENSSL_free(plaintext); > + free(s_username); > + return -1; > + } > + > + int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, &utc_seconds); > + if (rc != 3) { > ++ OPENSSL_free(plaintext); > + free(s_password); > + free(s_username); > + return -1; > diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb > index 08f29937c0..265611e533 100644 > --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb > +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb > @@ -16,7 +16,8 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ > file://0002-Remove-pg-from-profile_CFLAGS.patch \ > file://0001-configure.ac-check-for-CPP-prog.patch \ > file://0001-fix-build-with-gcc-15.patch \ > - " > + file://CVE-2025-54349.patch \ > + " > > SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c" > > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#119643): https://lists.openembedded.org/g/openembedded-devel/message/119643 > Mute This Topic: https://lists.openembedded.org/mt/115372270/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch new file mode 100644 index 0000000000..61e1888685 --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch @@ -0,0 +1,80 @@ +Subject: [PATCH] iperf3: Fix CVE-2025-54349 +CVE: CVE-2025-54349 +Upstream-Status: Backport [https://github.com/esnet/iperf/commit/4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf] +Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com> +--- +diff --git a/iperf_auth.c b/iperf_auth.c +index 72e85fc..91c4133 100644 +--- a/src/iperf_auth.c ++++ b/src/iperf_auth.c +@@ -288,6 +288,7 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch + } + + int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext, int use_pkcs1_padding) { ++ int ret =0; + #if OPENSSL_VERSION_MAJOR >= 3 + EVP_PKEY_CTX *ctx; + #else +@@ -310,7 +311,8 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt + keysize = RSA_size(rsa); + #endif + rsa_buffer = OPENSSL_malloc(keysize * 2); +- *plaintext = (unsigned char*)OPENSSL_malloc(keysize); ++ // Note: +1 for NULL ++ *plaintext = (unsigned char*)OPENSSL_malloc(keysize + 1); + + BIO *bioBuff = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len); + rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2); +@@ -322,11 +324,12 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt + #if OPENSSL_VERSION_MAJOR >= 3 + plaintext_len = keysize; + EVP_PKEY_decrypt_init(ctx); +- int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding); ++ ++ ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding); + if (ret < 0){ + goto errreturn; + } +- EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len); ++ ret = EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len); + EVP_PKEY_CTX_free(ctx); + #else + plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding); +@@ -337,7 +340,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt + BIO_free(bioBuff); + + /* Treat a decryption error as an empty string. */ +- if (plaintext_len < 0) { ++ if (plaintext_len <= 0) { + plaintext_len = 0; + } + +@@ -386,7 +389,7 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva + int plaintext_len; + plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding); + free(encrypted_b64); +- if (plaintext_len < 0) { ++ if (plaintext_len <= 0) { + return -1; + } + plaintext[plaintext_len] = '\0'; +@@ -394,16 +397,19 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva + char *s_username, *s_password; + s_username = (char *) calloc(plaintext_len, sizeof(char)); + if (s_username == NULL) { ++ OPENSSL_free(plaintext); + return -1; + } + s_password = (char *) calloc(plaintext_len, sizeof(char)); + if (s_password == NULL) { ++ OPENSSL_free(plaintext); + free(s_username); + return -1; + } + + int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, &utc_seconds); + if (rc != 3) { ++ OPENSSL_free(plaintext); + free(s_password); + free(s_username); + return -1; diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb index 08f29937c0..265611e533 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb @@ -16,7 +16,8 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ file://0002-Remove-pg-from-profile_CFLAGS.patch \ file://0001-configure.ac-check-for-CPP-prog.patch \ file://0001-fix-build-with-gcc-15.patch \ - " + file://CVE-2025-54349.patch \ + " SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c"
This commit fix heap overflow for iperf3 package Reference: https://github.com/esnet/iperf/commit/4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com> --- .../iperf3/iperf3/CVE-2025-54349.patch | 80 +++++++++++++++++++ .../recipes-benchmark/iperf3/iperf3_3.18.bb | 3 +- 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch