Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585504 (CVE-2016-4303) - <net-misc/iperf-{3.0.12,3.1.3} - crash/remote code execution through malformed JSON command (CVE-2016-4303)
Summary: <net-misc/iperf-{3.0.12,3.1.3} - crash/remote code execution through malforme...
Status: RESOLVED FIXED
Alias: CVE-2016-4303
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/esnet/iperf/blob/m...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-10 05:41 UTC by Jeroen Roovers (RETIRED)
Modified: 2016-11-27 11:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2016-06-10 05:41:31 UTC 
Doesn't affect version 2, but then again who in their right mind would expose an iperf server to begin with? :)

[URL] points to https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc



Arch teams, please test and mark stable:
=net-misc/iperf-3.0.12
Targeted stable KEYWORDS : amd64 hppa ppc ppc64 sparc x86
Comment 1 Agostino Sarubbo gentoo-dev 2016-06-10 13:02:30 UTC 
amd64 stable
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-11 07:25:00 UTC 
Stable for HPPA PPC64.
Comment 3 Agostino Sarubbo gentoo-dev 2016-06-27 08:52:55 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-07-08 08:19:36 UTC 
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-07-08 08:43:53 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-11-11 12:37:44 UTC 
CVE-2016-4303 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4303):
  The parse_string function in cjson.c in the cJSON library mishandles UTF8/16
  strings, which allows remote attackers to cause a denial of service (crash)
  or execute arbitrary code via a non-hex character in a JSON string, which
  triggers a heap-based buffer overflow.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-11-27 11:36:20 UTC 
As commented by upstream the ACE is theoretical.  No PoC here.  Lowering severity.  Tree has been cleaned for some time.