Doesn't affect version 2, but then again who in their right mind would expose an iperf server to begin with? :) [URL] points to https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc Arch teams, please test and mark stable: =net-misc/iperf-3.0.12 Targeted stable KEYWORDS : amd64 hppa ppc ppc64 sparc x86
amd64 stable
Stable for HPPA PPC64.
x86 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
CVE-2016-4303 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4303): The parse_string function in cjson.c in the cJSON library mishandles UTF8/16 strings, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a non-hex character in a JSON string, which triggers a heap-based buffer overflow.
As commented by upstream the ACE is theoretical. No PoC here. Lowering severity. Tree has been cleaned for some time.