Resolves: RHEL-136179 - iperf Heap Buffer Overflow (CVE-2025-54349)
This commit is contained in:
Michal Ruprich
parent
1362dfb084
commit
85bd0ea103
89
0004-cve-2025-54349.patch
Normal file
89
0004-cve-2025-54349.patch
Normal file
@ -0,0 +1,89 @@
|
||||
From 4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf Mon Sep 17 00:00:00 2001
|
||||
From: Sarah Larsen <swlarsen@es.net>
|
||||
Date: Wed, 25 Jun 2025 15:11:03 +0000
|
||||
Subject: [PATCH] Fix off-by-one heap overflow in auth.
|
||||
|
||||
Reported by Han Lee (Apple Information Security)
|
||||
CVE-2025-54349
|
||||
---
|
||||
src/iperf_auth.c | 18 +++++++++++++-----
|
||||
1 file changed, 13 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/iperf_auth.c b/src/iperf_auth.c
|
||||
index b9f2bc0f2..632f03d24 100644
|
||||
--- a/src/iperf_auth.c
|
||||
+++ b/src/iperf_auth.c
|
||||
@@ -286,6 +286,7 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch
|
||||
}
|
||||
|
||||
int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext, int use_pkcs1_padding) {
|
||||
+ int ret =0;
|
||||
#if OPENSSL_VERSION_MAJOR >= 3
|
||||
EVP_PKEY_CTX *ctx;
|
||||
#else
|
||||
@@ -308,7 +309,8 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
|
||||
keysize = RSA_size(rsa);
|
||||
#endif
|
||||
rsa_buffer = OPENSSL_malloc(keysize * 2);
|
||||
- *plaintext = (unsigned char*)OPENSSL_malloc(keysize);
|
||||
+ // Note: +1 for NULL
|
||||
+ *plaintext = (unsigned char*)OPENSSL_malloc(keysize + 1);
|
||||
|
||||
BIO *bioBuff = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len);
|
||||
rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
|
||||
@@ -318,13 +320,15 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
|
||||
padding = RSA_PKCS1_PADDING;
|
||||
}
|
||||
#if OPENSSL_VERSION_MAJOR >= 3
|
||||
+
|
||||
plaintext_len = keysize;
|
||||
EVP_PKEY_decrypt_init(ctx);
|
||||
- int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
|
||||
+
|
||||
+ ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
|
||||
if (ret < 0){
|
||||
goto errreturn;
|
||||
}
|
||||
- EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
|
||||
+ ret = EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
#else
|
||||
plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding);
|
||||
@@ -335,7 +339,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
|
||||
OPENSSL_free(rsa_buffer);
|
||||
BIO_free(bioBuff);
|
||||
|
||||
- if (plaintext_len < 0) {
|
||||
+ if (plaintext_len <= 0) {
|
||||
plaintext_len = 0;
|
||||
}
|
||||
|
||||
@@ -381,7 +385,7 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva
|
||||
int plaintext_len;
|
||||
plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding);
|
||||
free(encrypted_b64);
|
||||
- if (plaintext_len < 0) {
|
||||
+ if (plaintext_len <= 0) {
|
||||
return -1;
|
||||
}
|
||||
plaintext[plaintext_len] = '\0';
|
||||
@@ -389,16 +393,19 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva
|
||||
char *s_username, *s_password;
|
||||
s_username = (char *) calloc(plaintext_len, sizeof(char));
|
||||
if (s_username == NULL) {
|
||||
+ OPENSSL_free(plaintext);
|
||||
return -1;
|
||||
}
|
||||
s_password = (char *) calloc(plaintext_len, sizeof(char));
|
||||
if (s_password == NULL) {
|
||||
+ OPENSSL_free(plaintext);
|
||||
free(s_username);
|
||||
return -1;
|
||||
}
|
||||
|
||||
int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, ts);
|
||||
if (rc != 3) {
|
||||
+ OPENSSL_free(plaintext);
|
||||
free(s_password);
|
||||
free(s_username);
|
||||
return -1;
|
||||
@ -1,6 +1,6 @@
|
||||
Name: iperf3
|
||||
Version: 3.9
|
||||
Release: 14%{?dist}
|
||||
Release: 15%{?dist}
|
||||
Summary: Measurement tool for TCP/UDP bandwidth performance
|
||||
|
||||
License: BSD
|
||||
@ -10,6 +10,7 @@ Patch0000: 0000-cve-2023-38403.patch
|
||||
Patch0001: 0001-cve-2023-7250.patch
|
||||
Patch0002: 0002-cve-2024-26306.patch
|
||||
Patch0003: 0003-cve-2024-53580.patch
|
||||
Patch0004: 0004-cve-2025-54349.patch
|
||||
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: gcc
|
||||
@ -57,6 +58,9 @@ rm -f %{buildroot}%{_libdir}/libiperf.la
|
||||
%{_libdir}/*.so
|
||||
|
||||
%changelog
|
||||
* Tue Jan 20 2026 Michal Ruprich <mruprich@redhat.com> - 3.9-15
|
||||
- Resolves: RHEL-136179 - iperf Heap Buffer Overflow (CVE-2025-54349)
|
||||
|
||||
* Thu Jan 09 2025 Michal Ruprich <mruprich@redhat.com> - 3.9-14
|
||||
- Resolves: RHEL-72933 - Denial of Service in iperf Due to Improper JSON Handling
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user