2 files changed, 98 insertions, 0 deletions
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch
new file mode 100644
index 0000000000..d21d635afe
--- /dev/null
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch
@@ -0,0 +1,97 @@
+From 0ea4200f04ab2a823a718f48b8f853328858fcc9 Mon Sep 17 00:00:00 2001
+From: Sarah Larsen <swlarsen@es.net>
+Date: Wed, 25 Jun 2025 15:11:03 +0000
+Subject: [PATCH] Fix off-by-one heap overflow in auth.
+Reported by Han Lee (Apple Information Security)
+CVE-2025-54349
+CVE: CVE-2025-54349
+Upstream-Status: Backport [https://github.com/esnet/iperf/commit/4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/iperf_auth.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+diff --git a/src/iperf_auth.c b/src/iperf_auth.c
+index 72e85fc..86b4eba 100644
+--- a/src/iperf_auth.c
+++ b/src/iperf_auth.c
+@@ -288,6 +288,7 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch
+ }
+ 
+ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext, int use_pkcs1_padding) {
+    int ret =0;
+ #if OPENSSL_VERSION_MAJOR >= 3
+     EVP_PKEY_CTX *ctx;
+ #else
+@@ -310,7 +311,8 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
+     keysize = RSA_size(rsa);
+ #endif
+     rsa_buffer  = OPENSSL_malloc(keysize * 2);
+-    *plaintext = (unsigned char*)OPENSSL_malloc(keysize);
+    // Note: +1 for NULL
+    *plaintext = (unsigned char*)OPENSSL_malloc(keysize + 1);
+ 
+     BIO *bioBuff   = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len);
+     rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
+@@ -320,13 +322,15 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
+         padding = RSA_PKCS1_PADDING;
+     }
+ #if OPENSSL_VERSION_MAJOR >= 3
+
+     plaintext_len = keysize;
+     EVP_PKEY_decrypt_init(ctx);
+-    int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
+
+    ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
+     if (ret < 0){
+         goto errreturn;
+     }
+-    EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
+    ret = EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
+     EVP_PKEY_CTX_free(ctx);
+ #else
+     plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding);
+@@ -337,7 +341,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
+     BIO_free(bioBuff);
+ 
+     /* Treat a decryption error as an empty string. */
+-    if (plaintext_len < 0) {
+    if (plaintext_len <= 0) {
+         plaintext_len = 0;
+     }
+ 
+@@ -386,24 +390,28 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva
+     int plaintext_len;
+     plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding);
+     free(encrypted_b64);
+-    if (plaintext_len < 0) {
+    if (plaintext_len <= 0) {
+         return -1;
+     }
+
+     plaintext[plaintext_len] = '\0';
+ 
+     char *s_username, *s_password;
+     s_username = (char *) calloc(plaintext_len, sizeof(char));
+     if (s_username == NULL) {
+        OPENSSL_free(plaintext);
+        return -1;
+     }
+     s_password = (char *) calloc(plaintext_len, sizeof(char));
+     if (s_password == NULL) {
+        OPENSSL_free(plaintext);
+        free(s_username);
+        return -1;
+     }
+ 
+     int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, &utc_seconds);
+     if (rc != 3) {
+        OPENSSL_free(plaintext);
+        free(s_password);
+        free(s_username);
+        return -1;
+-- 
+2.50.0
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
index d3bfc93fe1..e96d5f084b 100644
--- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
@@ -15,6 +15,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9873a72f714e240530e759e103ac7b2"
 SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
           file://0002-Remove-pg-from-profile_CFLAGS.patch \
           file://0001-configure.ac-check-for-CPP-prog.patch \
+           file://CVE-2025-54349.patch \
          "
 SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c"

diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch new file mode 100644 index 0000000000..d21d635afe --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch
@@ -0,0 +1,97 @@
		1	From 0ea4200f04ab2a823a718f48b8f853328858fcc9 Mon Sep 17 00:00:00 2001
		2	From: Sarah Larsen <swlarsen@es.net>
		3	Date: Wed, 25 Jun 2025 15:11:03 +0000
		4	Subject: [PATCH] Fix off-by-one heap overflow in auth.
		5
		6	Reported by Han Lee (Apple Information Security)
		7	CVE-2025-54349
		8
		9	CVE: CVE-2025-54349
		10	Upstream-Status: Backport [https://github.com/esnet/iperf/commit/4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf]
		11	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		12	---
		13	src/iperf_auth.c \| 18 +++++++++++++-----
		14	1 file changed, 13 insertions(+), 5 deletions(-)
		15
		16	diff --git a/src/iperf_auth.c b/src/iperf_auth.c
		17	index 72e85fc..86b4eba 100644
		18	--- a/src/iperf_auth.c
		19	+++ b/src/iperf_auth.c
		20	@@ -288,6 +288,7 @@ int encrypt_rsa_message(const char plaintext, EVP_PKEY public_key, unsigned ch
		21	}
		22
		23	int decrypt_rsa_message(const unsigned char encryptedtext, const int encryptedtext_len, EVP_PKEY private_key, unsigned char **plaintext, int use_pkcs1_padding) {
		24	+ int ret =0;
		25	#if OPENSSL_VERSION_MAJOR >= 3
		26	EVP_PKEY_CTX *ctx;
		27	#else
		28	@@ -310,7 +311,8 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
		29	keysize = RSA_size(rsa);
		30	#endif
		31	rsa_buffer = OPENSSL_malloc(keysize * 2);
		32	- plaintext = (unsigned char)OPENSSL_malloc(keysize);
		33	+ // Note: +1 for NULL
		34	+ plaintext = (unsigned char)OPENSSL_malloc(keysize + 1);
		35
		36	BIO bioBuff = BIO_new_mem_buf((void)encryptedtext, encryptedtext_len);
		37	rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
		38	@@ -320,13 +322,15 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
		39	padding = RSA_PKCS1_PADDING;
		40	}
		41	#if OPENSSL_VERSION_MAJOR >= 3
		42	+
		43	plaintext_len = keysize;
		44	EVP_PKEY_decrypt_init(ctx);
		45	- int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
		46	+
		47	+ ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding);
		48	if (ret < 0){
		49	goto errreturn;
		50	}
		51	- EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
		52	+ ret = EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len);
		53	EVP_PKEY_CTX_free(ctx);
		54	#else
		55	plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding);
		56	@@ -337,7 +341,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt
		57	BIO_free(bioBuff);
		58
		59	/* Treat a decryption error as an empty string. */
		60	- if (plaintext_len < 0) {
		61	+ if (plaintext_len <= 0) {
		62	plaintext_len = 0;
		63	}
		64
		65	@@ -386,24 +390,28 @@ int decode_auth_setting(int enable_debug, const char authtoken, EVP_PKEY priva
		66	int plaintext_len;
		67	plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding);
		68	free(encrypted_b64);
		69	- if (plaintext_len < 0) {
		70	+ if (plaintext_len <= 0) {
		71	return -1;
		72	}
		73	+
		74	plaintext[plaintext_len] = '\0';
		75
		76	char s_username, s_password;
		77	s_username = (char *) calloc(plaintext_len, sizeof(char));
		78	if (s_username == NULL) {
		79	+ OPENSSL_free(plaintext);
		80	return -1;
		81	}
		82	s_password = (char *) calloc(plaintext_len, sizeof(char));
		83	if (s_password == NULL) {
		84	+ OPENSSL_free(plaintext);
		85	free(s_username);
		86	return -1;
		87	}
		88
		89	int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, &utc_seconds);
		90	if (rc != 3) {
		91	+ OPENSSL_free(plaintext);
		92	free(s_password);
		93	free(s_username);
		94	return -1;
		95	--
		96	2.50.0
		97


diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb index d3bfc93fe1..e96d5f084b 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
@@ -15,6 +15,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9873a72f714e240530e759e103ac7b2"
15	SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \	15	SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
16	file://0002-Remove-pg-from-profile_CFLAGS.patch \	16	file://0002-Remove-pg-from-profile_CFLAGS.patch \
17	file://0001-configure.ac-check-for-CPP-prog.patch \	17	file://0001-configure.ac-check-for-CPP-prog.patch \
		18	file://CVE-2025-54349.patch \
18	"	19	"
19		20
20	SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c"	21	SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c"