Your message dated Sat, 22 Jul 2023 17:17:38 +0000
with message-id <e1qngec-004dry...@fasolo.debian.org>
and subject line Bug#1040830: fixed in iperf3 3.9-1+deb11u1
has caused the Debian Bug report #1040830,
regarding iperf3: CVE-2023-38403: ESNET-SECADV-2023-0001: iperf3 memory
allocation hazard and crash
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1040830: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040830
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: iperf3
Version: 3.13-2
Severity: serious
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
A security advisory for iperf3 has been issued.
https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
ESnet Software Security Advisory
ESNET-SECADV-2023-0001
Topic: iperf3 memory allocation hazard and crash
Issued: 7 July 2023
Credits: @someusername123 via GitHub
Affects: iperf-3.13 and earlier
Corrected: iperf-3.14
Cross-references: esnet/iperf#1542 on GitHub
I. Background
iperf3 is a utility for testing network performance using TCP, UDP,
and SCTP, running over IPv4 and IPv6. It uses a client/server model,
where a client and server communicate the parameters of a test,
coordinate the start and end of the test, and exchange results. This
message exchange takes place over a TCP "control connection".
II. Problem Description
The iperf3 server and client will, at various times, exchange
JSON-formatted messages containing parameters and test results. By
convention, the actual JSON representation is preceded by a four-byte
integer that gives the length of the JSON message.
iperf3 uses the length to determine the size of a dynamically
allocated memory buffer in which to store the incoming message. If the
length equals 0xffffffff, an integer overflow can be triggered in the
receiving iperf3 process (typically the server), which can in turn
cause heap corruption and an abort/crash. While this is unlikely to
happen during normal iperf3 operation, a suitably crafted client
program could send a sequence of bytes on the iperf3 control channel
to cause an iperf3 server to crash.
III. Impact
A malicious process can connect to an iperf3 server and, by sending a
malformed message on the control channel, cause the server process to
abort due to heap corruption. A malicious iperf3 server could
potentially mount a similar attack on an iperf3 client.
Among the officially supported platforms, this problem has only been
observed on Linux. So far, it has not been reproduced with iperf3
running under Linux or macOS.
iperf2, an older version of the iperf utility, uses a different model
of interaction between client and server, and is not affected by this
issue.
IV. Workaround
There is no workaround for this issue, however as best practice
dictates, iperf3 should not be run with root privileges, to minimize
possible impact.
V. Solution
Update iperf3 to a version containing the fix (i.e. iperf-3.14 or
later).
VI. Correction details
The bug causing this vulnerability has been fixed by the following
commit in the esnet/iperf Github repository:
master 0ef151550d96cc4460f98832df84b4a1e87c65e9
All released versions of iperf3 issued on or after the date of this
advisory incorporate the fix.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE+Fo4IENp9xo01E6DSYSRCoyq7ooFAmSogHEACgkQSYSRCoyq
7orOGwgAwoF1S8ta/be1y90NYif36DnXDLjEvgcPwnFy4YadG4bI5Rx3btO73NGH
Xp/T/PXROtU40Qu3TaQsmEGFn46I+hgbGyzd11oxX1mysK6n0U3BUPCdgn7+JA5A
vpFfL4mo1efYe5cBEEUy6fnY7PipC4ltYv6I0jb4zprQalKZaPaP4TVm4si+vNKT
TViLgOZzvelIatKPl0SY7SEEQj7vkJDNw89kxQG9jZExeS1qLgPwRsmyR0b4TTDc
MMtUjn4Zl/uR2vCPeEmxTmh+QutY35vOw4N6vaqaUcHspNGJrWy5XW4QuIGEsbBq
KLsKmkzHa/fYp+1SesgNMrJkutOo2g==
=puru
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: iperf3
Source-Version: 3.9-1+deb11u1
Done: Aron Xu <a...@debian.org>
We believe that the bug you reported is fixed in the latest version of
iperf3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1040...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <a...@debian.org> (supplier of updated iperf3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 17 Jul 2023 16:49:40 +0800
Source: iperf3
Architecture: source
Version: 3.9-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Roberto Lumbreras <ro...@debian.org>
Changed-By: Aron Xu <a...@debian.org>
Closes: 1040830
Changes:
iperf3 (3.9-1+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix memory allocation hazard and crash (Closes: #1040830)
Checksums-Sha1:
adb546ead970c9d00002b6a5ca22429e2ba26680 1510 iperf3_3.9-1+deb11u1.dsc
55bd42d401127400ffc4d013893f1f9450eca6c0 622459 iperf3_3.9.orig.tar.gz
e31c9b8e9d6d585c8516de36908fcd09049af658 9712
iperf3_3.9-1+deb11u1.debian.tar.xz
f5b4676c91a649f09b99cac26786a9c73ecb1a5e 5486
iperf3_3.9-1+deb11u1_source.buildinfo
Checksums-Sha256:
9a8cdd5859257226879b414ac34d6d7dec79152e22a785b93800f57484051777 1510
iperf3_3.9-1+deb11u1.dsc
24b63a26382325f759f11d421779a937b63ca1bc17c44587d2fcfedab60ac038 622459
iperf3_3.9.orig.tar.gz
5fd25b88e323e86485c79c837e383d8e31fc26adf46312edca858d0368e4ff44 9712
iperf3_3.9-1+deb11u1.debian.tar.xz
ff9a5bc8adcfe835cc999a5eec966748512f6c2e8cef451719093df828d50876 5486
iperf3_3.9-1+deb11u1_source.buildinfo
Files:
0998bfa12d9b91253019cfe346b46a62 1510 net optional iperf3_3.9-1+deb11u1.dsc
3db38ed816a41dfef9d529423247ca03 622459 net optional iperf3_3.9.orig.tar.gz
52fc83f1e8b64274f0a98176bad70634 9712 net optional
iperf3_3.9-1+deb11u1.debian.tar.xz
d1d71aa88fa91b4da0e88ceffeecc845 5486 net optional
iperf3_3.9-1+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmS1AbcACgkQO1LKKgqv
2VQwRQf/bKd1MUSwLa+TzklScmkIvqEms3Hzes4tWOwTJ/jexDANwvviIzlSCyPu
474qukKgkOnBeKQ3ii40kELwFTqILlSOs26BjD8syPdTxHEzjDQedRX0QtY2Ayr9
nYygI69jMjMly0sBmwU7O55QH/NuMVvXfHCODuO1HBxirjY9iexoRTmxTKm7adfK
jbag/8QZV7TPi5wnV++tv8E/BRQKPCbgKBIJ3ToGfVduBpARkV9rrSAMY//jBYZ9
W9+SW+2YAJXzQKVaJdr3d7unjAf7dNFsI2T/jpfkQYgyFO6E7SzZ3fOqbNkOyyqe
wnV4699djpkAM/v60Ucfa6bk47693Q==
=MUkl
-----END PGP SIGNATURE-----
--- End Message ---
