diff -Nru coturn-4.5.0.7/debian/changelog coturn-4.5.0.7/debian/changelog --- coturn-4.5.0.7/debian/changelog 2019-02-06 13:56:38.000000000 +0000 +++ coturn-4.5.0.7/debian/changelog 2020-07-02 15:49:53.000000000 +0000 @@ -1,3 +1,18 @@ +coturn (4.5.0.7-1ubuntu2.18.04.2) bionic-security; urgency=medium + + * SECURITY UPDATE: Heap-buffer overflow in HTTP POST request + - debian/patches/CVE-2020-6061.patch: Fix overflow + - CVE-2020-6061 + * SECURITY UPDATE: DoS when parsing certain HTTP POST request + - debian/patches/CVE-2020-6062.patch: Fix parsing of POST requests + - CVE-2020-6062 + * SECURITY UPDATE: Information leak between different client connections + - debian/patches/CVE-2020-4067.patch: initialize with zero any new or + reused stun buffers + - CVE-2020-4067 + + -- Eduardo Barretto Thu, 02 Jul 2020 12:49:53 -0300 + coturn (4.5.0.7-1ubuntu2.18.04.1) bionic-security; urgency=medium * [1328ae1] HotFix: for 3 Vulnerability. diff -Nru coturn-4.5.0.7/debian/patches/CVE-2020-4067.patch coturn-4.5.0.7/debian/patches/CVE-2020-4067.patch --- coturn-4.5.0.7/debian/patches/CVE-2020-4067.patch 1970-01-01 00:00:00.000000000 +0000 +++ coturn-4.5.0.7/debian/patches/CVE-2020-4067.patch 2020-07-02 15:49:53.000000000 +0000 @@ -0,0 +1,34 @@ +From fc1e0732069e95f2de3cf1a22d15c44bbd3cfaae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= +Date: Mon, 22 Jun 2020 00:08:12 +0200 +Subject: [PATCH 1/2] init with zero any new or reused stun buffers + +[Salvatore Bonaccorso: backport to 4.5.1.1: Use consistently ns_bzero as it +does not yet contain the upstream change 7a43aae7c3e1 ("Remove ns_bzero(), +ns_bcopy(), and ns_bcmp()"). Adjust for context changes.] +--- + src/apps/relay/ns_ioalib_engine_impl.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/src/apps/relay/ns_ioalib_engine_impl.c ++++ b/src/apps/relay/ns_ioalib_engine_impl.c +@@ -293,10 +293,19 @@ static stun_buffer_list_elem *new_blist_ + + if(!ret) { + ret = (stun_buffer_list_elem *)turn_malloc(sizeof(stun_buffer_list_elem)); ++ /* init ns_bzero below will solve all of these in one step + ret->buf.len = 0; + ret->buf.offset = 0; + ret->buf.coffset = 0; ++ */ + ret->next = NULL; ++ if (!ret) { ++ TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: Cannot allocate memory for STUN buffer!\n", __FUNCTION__); ++ } ++ } ++ ++ if(ret) { ++ ns_bzero(&ret->buf, sizeof(stun_buffer)); + } + + return ret; diff -Nru coturn-4.5.0.7/debian/patches/CVE-2020-6061.patch coturn-4.5.0.7/debian/patches/CVE-2020-6061.patch --- coturn-4.5.0.7/debian/patches/CVE-2020-6061.patch 1970-01-01 00:00:00.000000000 +0000 +++ coturn-4.5.0.7/debian/patches/CVE-2020-6061.patch 2020-07-02 15:49:53.000000000 +0000 @@ -0,0 +1,28 @@ +From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= +Date: Mon, 17 Feb 2020 10:34:56 +0100 +Subject: Fix: CVE-2020-6061/TALOS-2020-0984 +Origin: https://github.com/coturn/coturn/commit/51a7c2b9bf924890c7a3ff4db9c4976c5a93340a +Bug: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0984 +Bug-Debian: https://bugs.debian.org/951876 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-6061 + +--- + src/apps/relay/http_server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/apps/relay/http_server.c b/src/apps/relay/http_server.c +index 573af49b5ce9..1126b49c1526 100644 +--- a/src/apps/relay/http_server.c ++++ b/src/apps/relay/http_server.c +@@ -103,7 +103,7 @@ const char* get_http_date_header() + + static struct headers_list * post_parse(char *data, size_t data_len) + { +- while((*data=='\r')||(*data=='\n')) ++data; ++ while((*data=='\r')||(*data=='\n')) { ++data; --data_len; } + char *post_data = (char*)calloc(data_len + 1, sizeof(char)); + memcpy(post_data, data, data_len); + char *fmarker = NULL; +-- +2.27.0 + diff -Nru coturn-4.5.0.7/debian/patches/CVE-2020-6062.patch coturn-4.5.0.7/debian/patches/CVE-2020-6062.patch --- coturn-4.5.0.7/debian/patches/CVE-2020-6062.patch 1970-01-01 00:00:00.000000000 +0000 +++ coturn-4.5.0.7/debian/patches/CVE-2020-6062.patch 2020-07-02 15:49:53.000000000 +0000 @@ -0,0 +1,89 @@ +From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= +Date: Tue, 18 Feb 2020 12:31:38 +0100 +Subject: Fix: CVE-2020-6062 / TALOS-2020-0985 +Origin: https://github.com/coturn/coturn/commit/e09bcd9f7af5b32c81b37f51835b384b5a7d03a8 +Bug: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0985 +Bug-Debian: https://bugs.debian.org/951876 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-6062 + +[Salvatore Bonaccorso: backport to 4.5.1.1: Use consistently ns_bzero as it +does not yet contain the upstream change 7a43aae7c3e1 ("Remove ns_bzero(), +ns_bcopy(), and ns_bcmp()")] +--- + src/apps/relay/http_server.c | 63 ++++++++++++++++++++---------------- + 1 file changed, 36 insertions(+), 27 deletions(-) + +--- a/src/apps/relay/http_server.c ++++ b/src/apps/relay/http_server.c +@@ -104,35 +104,44 @@ const char* get_http_date_header() + static struct headers_list * post_parse(char *data, size_t data_len) + { + while((*data=='\r')||(*data=='\n')) { ++data; --data_len; } +- char *post_data = (char*)calloc(data_len + 1, sizeof(char)); +- memcpy(post_data, data, data_len); +- char *fmarker = NULL; +- char *fsplit = strtok_r(post_data, "&", &fmarker); +- struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list)); +- ns_bzero(list,sizeof(struct headers_list)); +- while (fsplit != NULL) { +- char *vmarker = NULL; +- char *key = strtok_r(fsplit, "=", &vmarker); +- char *value = strtok_r(NULL, "=", &vmarker); +- char empty[1]; +- empty[0]=0; +- value = value ? value : empty; +- value = evhttp_decode_uri(value); +- char *p = value; +- while (*p) { +- if (*p == '+') +- *p = ' '; +- p++; ++ if (data_len) { ++ char *post_data = (char*)calloc(data_len + 1, sizeof(char)); ++ if (post_data != NULL) { ++ memcpy(post_data, data, data_len); ++ char *fmarker = NULL; ++ char *fsplit = strtok_r(post_data, "&", &fmarker); ++ struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list)); ++ ns_bzero(list,sizeof(struct headers_list)); ++ while (fsplit != NULL) { ++ char *vmarker = NULL; ++ char *key = strtok_r(fsplit, "=", &vmarker); ++ if (key == NULL) ++ break; ++ else { ++ char *value = strtok_r(NULL, "=", &vmarker); ++ char empty[1]; ++ empty[0]=0; ++ value = value ? value : empty; ++ value = evhttp_decode_uri(value); ++ char *p = value; ++ while (*p) { ++ if (*p == '+') ++ *p = ' '; ++ p++; ++ } ++ list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1)); ++ list->keys[list->n] = strdup(key); ++ list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1)); ++ list->values[list->n] = value; ++ ++(list->n); ++ fsplit = strtok_r(NULL, "&", &fmarker); ++ } ++ } ++ free(post_data); ++ return list; + } +- list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1)); +- list->keys[list->n] = strdup(key); +- list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1)); +- list->values[list->n] = value; +- ++(list->n); +- fsplit = strtok_r(NULL, "&", &fmarker); + } +- free(post_data); +- return list; ++ return NULL; + } + + static struct http_request* parse_http_request_1(struct http_request* ret, char* request, int parse_post) diff -Nru coturn-4.5.0.7/debian/patches/series coturn-4.5.0.7/debian/patches/series --- coturn-4.5.0.7/debian/patches/series 2019-02-06 13:56:38.000000000 +0000 +++ coturn-4.5.0.7/debian/patches/series 2020-07-02 15:49:53.000000000 +0000 @@ -1,3 +1,6 @@ Disable-Web-admin-interface-due-Security-Vulnerability.patch Disable-loopback-peers-due-Vulnerability.patch empty-cli-password-not-allowed-disable-telnet-cli.patch +CVE-2020-6061.patch +CVE-2020-6062.patch +CVE-2020-4067.patch