#1110376 iperf3: CVE-2025-54349 CVE-2025-54350

Package:
src:iperf3
Source:
src:iperf3
Submitter:
Salvatore Bonaccorso
Date:
2025-08-04 21:43:02 UTC
Severity:
normal
Tags:
#1110376#5
Date:
2025-08-04 03:37:47 UTC
From:
To:
Hi,

The following vulnerabilities were published for iperf3.

CVE-2025-54349[0]:
| In iperf before 3.19.1, iperf_auth.c has an off-by-one error and
| resultant heap-based buffer overflow.


CVE-2025-54350[1]:
| In iperf before 3.19.1, iperf_auth.c has a Base64Decode assertion
| failure and application exit upon a malformed authentication
| attempt.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-54349
https://www.cve.org/CVERecord?id=CVE-2025-54349
https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66
[1] https://security-tracker.debian.org/tracker/CVE-2025-54350
https://www.cve.org/CVERecord?id=CVE-2025-54350
https://github.com/esnet/iperf/commit/de932ea16bc959f839d28d370f0602de52c5def1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1110376#10
Date:
2025-08-04 21:40:50 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
iperf3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1110376@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roberto Lumbreras <rover@debian.org> (supplier of updated iperf3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 04 Aug 2025 21:21:14 +0200
Source: iperf3
Architecture: source
Version: 3.19.1-1
Distribution: unstable
Urgency: medium
Maintainer: Roberto Lumbreras <rover@debian.org>
Changed-By: Roberto Lumbreras <rover@debian.org>
Closes: 1110376
Changes:
 iperf3 (3.19.1-1) unstable; urgency=medium
 .
   * New upstream version, including fixes for CVE-2025-54349, CVE-2025-54350.
     (Closes: #1110376)
   * Updated standards.
Checksums-Sha1:
 67123fce1c1b10761edddece769a5c7bd33fc5f7 1884 iperf3_3.19.1-1.dsc
 33c35ebcb0bf08f236e7c751ec4f1eac4ac92b57 694807 iperf3_3.19.1.orig.tar.gz
 3e9d8b85cd0501c85607af960f11081eaa2e0818 13940 iperf3_3.19.1-1.debian.tar.xz
 17120f69729b720457e79a38f2ad38234ae2149e 6935 iperf3_3.19.1-1_amd64.buildinfo
Checksums-Sha256:
 6c9725dfd73def28eaf9ae55966ffdccc36806215749df92617f917617ba6d6a 1884 iperf3_3.19.1-1.dsc
 dc63f89ec581ea99f8b558d8eb35109de06383010db5a1906c208a562ba0c270 694807 iperf3_3.19.1.orig.tar.gz
 5491dc11d48ec5a56d9836609ce37d14349c579bea012300a8c229a01891ac63 13940 iperf3_3.19.1-1.debian.tar.xz
 6b9991a1579f97e8494d237aaef7b92ffe5f1d6514888583ff776de91df08eb8 6935 iperf3_3.19.1-1_amd64.buildinfo
Files:
 8bbba8e3e2b81c832f20349811a4dd80 1884 net optional iperf3_3.19.1-1.dsc
 adcfb5a59ce5c325d669fcfc4ea6e7e3 694807 net optional iperf3_3.19.1.orig.tar.gz
 b42ced72d24a8a147059a1dcc0d54af7 13940 net optional iperf3_3.19.1-1.debian.tar.xz
 b42bf62689c2ac4b2c53a2933f1c6c87 6935 net optional iperf3_3.19.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEE0P8TF3YtXzyApcdAtn7iEBIpC00FAmiRDEsRHHJvdmVyQGRl
Ymlhbi5vcmcACgkQtn7iEBIpC03/nQ/9F1zkIcOOHI/VwcYn8g9tEpoeCxCMhGmV
JIV+74xoaZUk2yRUezKjzz3XnncMztOAUWHLV4PtLuWsnTHBWr/8GL43IQTXmsWu
1FYmEDv8kf6aLfZNv92yH/5pCXbndFsFzQZV7m0HysaY4c6+RA/Cna2CTAg4c0zj
Ek39HIAvDiqPDyahYPXiTBIiSAC5BO7TtmIS6kpKBw6/ECMjhYUDj5QbpkPyo6N0
rlTDRsCCFyE6dx0kQELuK9ghqMiz1ELuq50swiNKqadcokggOt5J9hrjGoxkD0VZ
4cSYPaF6qlgTb/vgE5c5CmsATp0+5Bo3q4xj1XoNoiZH0zx3KJCRHRBIc5KsY+2T
f8H7CUucMEkYBuat63QSB0ditCvim4d0UCsuj/8/vkZzVyl5aPmWnauK5XrffVPm
QlgB71Rx/AXkCb9rQlrdEJ39mV4YDa0houqGMT7V0bEneVeLTQ5ZgNYHKTLbaUxv
rtr1RZvGP0xf2aKNooAuwlKFFijKAdlu+op34Kk/RLkrLr2FFM3asWwVdIhLijFx
SwX5vW+TDSqCTtF7QyVMHCDJm0AlpVnqYDx6Ox7DTl/YydXDPF1Z5FMZldjduPZG
d9g5wN0DQhoqK0csZWNG3sBKa8ikJ8DUMDSPDdoGPNOMzNGO6yoN05eD/57fPe6A
RFP27owaNMg=
=7MqV
-----END PGP SIGNATURE-----