Your message dated Sat, 22 Jul 2023 17:17:08 +0000
with message-id <[email protected]>
and subject line Bug#1040830: fixed in iperf3 3.12-1+deb12u1
has caused the Debian Bug report #1040830,
regarding iperf3: CVE-2023-38403: ESNET-SECADV-2023-0001: iperf3 memory
allocation hazard and crash
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1040830: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040830
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: iperf3
Version: 3.13-2
Severity: serious
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
A security advisory for iperf3 has been issued.
https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
ESnet Software Security Advisory
ESNET-SECADV-2023-0001
Topic: iperf3 memory allocation hazard and crash
Issued: 7 July 2023
Credits: @someusername123 via GitHub
Affects: iperf-3.13 and earlier
Corrected: iperf-3.14
Cross-references: esnet/iperf#1542 on GitHub
I. Background
iperf3 is a utility for testing network performance using TCP, UDP,
and SCTP, running over IPv4 and IPv6. It uses a client/server model,
where a client and server communicate the parameters of a test,
coordinate the start and end of the test, and exchange results. This
message exchange takes place over a TCP "control connection".
II. Problem Description
The iperf3 server and client will, at various times, exchange
JSON-formatted messages containing parameters and test results. By
convention, the actual JSON representation is preceded by a four-byte
integer that gives the length of the JSON message.
iperf3 uses the length to determine the size of a dynamically
allocated memory buffer in which to store the incoming message. If the
length equals 0xffffffff, an integer overflow can be triggered in the
receiving iperf3 process (typically the server), which can in turn
cause heap corruption and an abort/crash. While this is unlikely to
happen during normal iperf3 operation, a suitably crafted client
program could send a sequence of bytes on the iperf3 control channel
to cause an iperf3 server to crash.
III. Impact
A malicious process can connect to an iperf3 server and, by sending a
malformed message on the control channel, cause the server process to
abort due to heap corruption. A malicious iperf3 server could
potentially mount a similar attack on an iperf3 client.
Among the officially supported platforms, this problem has only been
observed on Linux. So far, it has not been reproduced with iperf3
running under Linux or macOS.
iperf2, an older version of the iperf utility, uses a different model
of interaction between client and server, and is not affected by this
issue.
IV. Workaround
There is no workaround for this issue, however as best practice
dictates, iperf3 should not be run with root privileges, to minimize
possible impact.
V. Solution
Update iperf3 to a version containing the fix (i.e. iperf-3.14 or
later).
VI. Correction details
The bug causing this vulnerability has been fixed by the following
commit in the esnet/iperf Github repository:
master 0ef151550d96cc4460f98832df84b4a1e87c65e9
All released versions of iperf3 issued on or after the date of this
advisory incorporate the fix.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE+Fo4IENp9xo01E6DSYSRCoyq7ooFAmSogHEACgkQSYSRCoyq
7orOGwgAwoF1S8ta/be1y90NYif36DnXDLjEvgcPwnFy4YadG4bI5Rx3btO73NGH
Xp/T/PXROtU40Qu3TaQsmEGFn46I+hgbGyzd11oxX1mysK6n0U3BUPCdgn7+JA5A
vpFfL4mo1efYe5cBEEUy6fnY7PipC4ltYv6I0jb4zprQalKZaPaP4TVm4si+vNKT
TViLgOZzvelIatKPl0SY7SEEQj7vkJDNw89kxQG9jZExeS1qLgPwRsmyR0b4TTDc
MMtUjn4Zl/uR2vCPeEmxTmh+QutY35vOw4N6vaqaUcHspNGJrWy5XW4QuIGEsbBq
KLsKmkzHa/fYp+1SesgNMrJkutOo2g==
=puru
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: iperf3
Source-Version: 3.12-1+deb12u1
Done: Aron Xu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
iperf3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <[email protected]> (supplier of updated iperf3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 17 Jul 2023 16:46:06 +0800
Source: iperf3
Architecture: source
Version: 3.12-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Roberto Lumbreras <[email protected]>
Changed-By: Aron Xu <[email protected]>
Closes: 1040830
Changes:
iperf3 (3.12-1+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix memory allocation hazard and crash (Closes: #1040830)
Checksums-Sha1:
4680bc0298810bbceb37ea8b8e267602ec157ef8 1532 iperf3_3.12-1+deb12u1.dsc
a9b7c46bc86d2fc98a2a3edf9c69f0d37ac5d972 648136 iperf3_3.12.orig.tar.gz
b908265b042b33bc7ce940e1d7d29628a992ebab 13440
iperf3_3.12-1+deb12u1.debian.tar.xz
b383088683c0c5cb5bc6d012011af6381a968220 5490
iperf3_3.12-1+deb12u1_source.buildinfo
Checksums-Sha256:
0e2691c12170e29482db885756b80a6112d37efeaeee749ee3d8cc8d17e1d28e 1532
iperf3_3.12-1+deb12u1.dsc
e38e0a97b30a97b4355da93467160a20dea10932f6c17473774802e03d61d4a7 648136
iperf3_3.12.orig.tar.gz
10a762824b89072f39ad495f27cebdd44148a31762eff88387c8395b8ea68d45 13440
iperf3_3.12-1+deb12u1.debian.tar.xz
5978676368d49c2c37c1549b4b28d619e576d70a2e135cb4edf47e3959bd8850 5490
iperf3_3.12-1+deb12u1_source.buildinfo
Files:
3cec2269b7a6dcf34d1fe5b17983dada 1532 net optional iperf3_3.12-1+deb12u1.dsc
a3b579b32845968c9c5235ac19f9ba17 648136 net optional iperf3_3.12.orig.tar.gz
61c98595fa73c9c1fab83c4bbb47fe68 13440 net optional
iperf3_3.12-1+deb12u1.debian.tar.xz
92602d695e4d8aa3e68afcc68b3b79d8 5490 net optional
iperf3_3.12-1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmS1Ab4ACgkQO1LKKgqv
2VSW3wgAnTt7P5r/mS46gS/8TtdNbfPiJV7mk/Q+toLAZerV8kw6ABUMsTv9hggF
3Euph4Y0F+73H13z37V0512klwAn0HFfiMqheqDaThXi4vXiAtngTCRKWJG7piMp
GIeG9SY7CXQK5BbbeZFwWGKF+MTGGgDkFauZMIqk6UcgzjjRUVJNh45boGsrgTlv
lr4v67PGD7JKGdufQfY3vW9WKXsatsd/5kMXw6B3BzX9vlspvERqJNqS3mDcps5n
y4XJU3YaELi7fKNag02LHazVrGOg21WxHLindKvJ37FqXgvHCfscw7MACb00kHGO
m+WCs/Gz7TUwUJSG2rvtydoeJCV6kQ==
=5Fo+
-----END PGP SIGNATURE-----
--- End Message ---
