Your message dated Tue, 11 Jul 2023 16:09:02 +0000
with message-id <[email protected]>
and subject line Bug#1040830: fixed in iperf3 3.14-1
has caused the Debian Bug report #1040830,
regarding ESNET-SECADV-2023-0001: iperf3 memory allocation hazard and crash
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1040830: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040830
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: iperf3
Version: 3.13-2
Severity: serious
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
A security advisory for iperf3 has been issued.
https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
ESnet Software Security Advisory
ESNET-SECADV-2023-0001
Topic: iperf3 memory allocation hazard and crash
Issued: 7 July 2023
Credits: @someusername123 via GitHub
Affects: iperf-3.13 and earlier
Corrected: iperf-3.14
Cross-references: esnet/iperf#1542 on GitHub
I. Background
iperf3 is a utility for testing network performance using TCP, UDP,
and SCTP, running over IPv4 and IPv6. It uses a client/server model,
where a client and server communicate the parameters of a test,
coordinate the start and end of the test, and exchange results. This
message exchange takes place over a TCP "control connection".
II. Problem Description
The iperf3 server and client will, at various times, exchange
JSON-formatted messages containing parameters and test results. By
convention, the actual JSON representation is preceded by a four-byte
integer that gives the length of the JSON message.
iperf3 uses the length to determine the size of a dynamically
allocated memory buffer in which to store the incoming message. If the
length equals 0xffffffff, an integer overflow can be triggered in the
receiving iperf3 process (typically the server), which can in turn
cause heap corruption and an abort/crash. While this is unlikely to
happen during normal iperf3 operation, a suitably crafted client
program could send a sequence of bytes on the iperf3 control channel
to cause an iperf3 server to crash.
III. Impact
A malicious process can connect to an iperf3 server and, by sending a
malformed message on the control channel, cause the server process to
abort due to heap corruption. A malicious iperf3 server could
potentially mount a similar attack on an iperf3 client.
Among the officially supported platforms, this problem has only been
observed on Linux. So far, it has not been reproduced with iperf3
running under Linux or macOS.
iperf2, an older version of the iperf utility, uses a different model
of interaction between client and server, and is not affected by this
issue.
IV. Workaround
There is no workaround for this issue, however as best practice
dictates, iperf3 should not be run with root privileges, to minimize
possible impact.
V. Solution
Update iperf3 to a version containing the fix (i.e. iperf-3.14 or
later).
VI. Correction details
The bug causing this vulnerability has been fixed by the following
commit in the esnet/iperf Github repository:
master 0ef151550d96cc4460f98832df84b4a1e87c65e9
All released versions of iperf3 issued on or after the date of this
advisory incorporate the fix.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE+Fo4IENp9xo01E6DSYSRCoyq7ooFAmSogHEACgkQSYSRCoyq
7orOGwgAwoF1S8ta/be1y90NYif36DnXDLjEvgcPwnFy4YadG4bI5Rx3btO73NGH
Xp/T/PXROtU40Qu3TaQsmEGFn46I+hgbGyzd11oxX1mysK6n0U3BUPCdgn7+JA5A
vpFfL4mo1efYe5cBEEUy6fnY7PipC4ltYv6I0jb4zprQalKZaPaP4TVm4si+vNKT
TViLgOZzvelIatKPl0SY7SEEQj7vkJDNw89kxQG9jZExeS1qLgPwRsmyR0b4TTDc
MMtUjn4Zl/uR2vCPeEmxTmh+QutY35vOw4N6vaqaUcHspNGJrWy5XW4QuIGEsbBq
KLsKmkzHa/fYp+1SesgNMrJkutOo2g==
=puru
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: iperf3
Source-Version: 3.14-1
Done: Roberto Lumbreras <[email protected]>
We believe that the bug you reported is fixed in the latest version of
iperf3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roberto Lumbreras <[email protected]> (supplier of updated iperf3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 11 Jul 2023 16:29:54 +0200
Source: iperf3
Architecture: source
Version: 3.14-1
Distribution: unstable
Urgency: high
Maintainer: Roberto Lumbreras <[email protected]>
Changed-By: Roberto Lumbreras <[email protected]>
Closes: 1040830
Changes:
iperf3 (3.14-1) unstable; urgency=high
.
* New upstream version (ESNET-SECADV-2023-0001 security fix).
(Closes: #1040830)
Checksums-Sha1:
6a588dfb1f87d0d68369884e87b176a3eb655f4d 1870 iperf3_3.14-1.dsc
c294a2789ca85455a2a425ef2dbf4aa3d4045566 650626 iperf3_3.14.orig.tar.gz
e5e4e0a05bbb26fbc360eaf50d082ae636e7626d 13284 iperf3_3.14-1.debian.tar.xz
9f9ad895b85896ab6be7230af44a6e3940d26baf 7275 iperf3_3.14-1_amd64.buildinfo
Checksums-Sha256:
1c26cfbcfa1f390d57ed11876292484d8415846a7e37c4566df2d6af2e24ce9f 1870
iperf3_3.14-1.dsc
bbafa2c9687f0f7fe00947dc779b83c91663911e22460005c0ad4623797b3dbd 650626
iperf3_3.14.orig.tar.gz
0eb9199fa82fd486f335cd22d002ce8c92271c78cb94b5c0de02988bdee18b57 13284
iperf3_3.14-1.debian.tar.xz
fce8afbafbcd69e35df26e97a0c2f2aeda8aedf3fefc39733b301c9e112aa20a 7275
iperf3_3.14-1_amd64.buildinfo
Files:
70a5f7c4c9fde03e71e6f089cbaa1081 1870 net optional iperf3_3.14-1.dsc
d50742be699e6a680a25734991ee557b 650626 net optional iperf3_3.14.orig.tar.gz
7a3c008f974ef4a5a106b18dfa1afb1c 13284 net optional iperf3_3.14-1.debian.tar.xz
d23c89a57fbc1a8a59905354a890b3f1 7275 net optional
iperf3_3.14-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE0P8TF3YtXzyApcdAtn7iEBIpC00FAmStcswRHHJvdmVyQGRl
Ymlhbi5vcmcACgkQtn7iEBIpC01B6hAAok2S0GhisSp0D+mmwZ5enCsXzrvdJL3n
nR0yV9tnbmO4uUGTBChOgltOI4HK4MDvsCA3WKAy5WfnW2pS/xfTW/QXP+YbqBGf
oAT+wDWJVaXuA0qm9JKP5CARhV5sSWGDspm/bmWq33VrA1RABXi4l7EDrz4/bO+4
jGuOvEtA8ELmF0mBtMf9WdZZoVdcK6JM69xzvnaNqOTMh4cBY3fYvBx8lYcjKONB
3I+/pqbNUCZPiSb2CUB7e8sUTfpkHRO6IeOfE9OFJkfBEKeRSrhmUPMsaWS2lMLV
a5i4eyScSStXaL0OJN/LzN4b0gDTPojbmZ4hZF0T5+KhXTfJr+vao2xvjDabQ6sZ
S0KDWQ5lEbAP3JSua9knsi+Y+qrAS6Lfj1h2mw7nSeeguIVZFC789x2zdRd5Vy8q
FXZef135boRMpxHZHY+DIRt6hCJ0/+xYIt6j5UetEYfYBwG1gmbTsbgLy/8eQIIV
xh8dLcHY1Q0iRjqC2CRi+XNZ5+Jk9je2WzMznk04S+NdZYWvF/SX4T1Hd0x5LUG8
5ay5hC/Il4hJqFn2MGIF0DiPXE2NXW/ajCjGFfkZgNc9XypWA6FINf+ss9moJtGh
UT53DH3DI41SyikemYLhacXLjK3PQEak5FU4xVF9BdnXr+5UTg9KksdjEgMTFhFs
oSpoDpDM7h8=
=psd6
-----END PGP SIGNATURE-----
--- End Message ---
