diff -Nru coturn-4.5.0.3/debian/changelog coturn-4.5.0.3/debian/changelog --- coturn-4.5.0.3/debian/changelog 2016-04-18 13:43:31.000000000 +0000 +++ coturn-4.5.0.3/debian/changelog 2021-01-06 14:03:48.000000000 +0000 @@ -1,3 +1,51 @@ +coturn (4.5.0.3-1ubuntu0.4) xenial-security; urgency=medium + + * SECURITY UPDATE: Unsafe loopback interface + - debian/patches/CVE-2020-26262.patch: Add check if address is in + 0.0.0.0/8 or ::/128. + - CVE-2020-26262 + + -- Mészáros Mihály Mon, 14 Dec 2020 14:50:15 +0100 + +coturn (4.5.0.3-1ubuntu0.3) xenial-security; urgency=medium + + * SECURITY UPDATE: Heap-buffer overflow in HTTP POST request + - debian/patches/CVE-2020-6061.patch: Fix overflow + - CVE-2020-6061 + * SECURITY UPDATE: DoS when parsing certain HTTP POST request + - debian/patches/CVE-2020-6062.patch: Fix parsing of POST requests + - CVE-2020-6062 + * SECURITY UPDATE: Information leak between different client connections + - debian/patches/CVE-2020-4067.patch: initialize with zero any new or + reused stun buffers + - CVE-2020-4067 + + -- Eduardo Barretto Thu, 02 Jul 2020 12:51:17 -0300 + +coturn (4.5.0.3-1ubuntu0.2) xenial-security; urgency=medium + + * Disable autotests on armhf for now as tests segfault (when tried + multiple times). + + -- Eduardo Barretto Thu, 14 Feb 2019 15:36:33 -0200 + +coturn (4.5.0.3-1ubuntu0.1) xenial-security; urgency=medium + + * [d10b716] HotFix: for 3 Vulnerability. + For more details see: + - CVE-2018-4056 - coTURN Administrator Web Portal SQL injection vulnerability + - CVE-2018-4058 - coTURN TURN server unsafe loopback forwarding default configuration vulnerability + - CVE-2018-4059 - coTURN server unsafe telnet admin portal default configuration vulnerability + These patches address hotfix the 3 CVE above. + * Disable-Web-admin-interface-due-Security-Vulnerability.patch + It disables hardcocded web admin interface until 4.5.1.0 where it will be fixed correctly. + * Disable-loopback-peers-due-Vulnerability.patch + Disable by default loopback-peer functionality. + * empty-cli-password-not-allowed-disable-telnet-cli.patch + Disable telnet cli if the cli-password is empty. + + -- Mészáros Mihály Wed, 06 Feb 2019 13:57:04 +0100 + coturn (4.5.0.3-1build1) xenial; urgency=medium * Rebuild against libmysqlclient20. diff -Nru coturn-4.5.0.3/debian/control coturn-4.5.0.3/debian/control --- coturn-4.5.0.3/debian/control 2015-10-03 06:46:39.000000000 +0000 +++ coturn-4.5.0.3/debian/control 2019-02-08 18:55:52.000000000 +0000 @@ -1,7 +1,8 @@ Source: coturn Section: net Priority: extra -Maintainer: Debian VoIP Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian VoIP Team Uploaders: Daniel Pocock , Oleg Moskalenko Build-Depends: debhelper (>= 9.0.0), dpkg-dev (>= 1.16.1~), diff -Nru coturn-4.5.0.3/debian/patches/0001-Disable-Web-admin-interface-due-Security-Vulnerabili.patch coturn-4.5.0.3/debian/patches/0001-Disable-Web-admin-interface-due-Security-Vulnerabili.patch --- coturn-4.5.0.3/debian/patches/0001-Disable-Web-admin-interface-due-Security-Vulnerabili.patch 1970-01-01 00:00:00.000000000 +0000 +++ coturn-4.5.0.3/debian/patches/0001-Disable-Web-admin-interface-due-Security-Vulnerabili.patch 2019-02-08 18:55:01.000000000 +0000 @@ -0,0 +1,25 @@ +From: =?utf-8?b?TcOpc3rDoXJvcyBNaWjDoWx5?= +Date: Thu, 10 Jan 2019 09:58:18 +0100 +Subject: Disable Web admin interface due Security Vulnerability. + +--- + src/server/ns_turn_server.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c +index 791d207..e4a4476 100644 +--- a/src/server/ns_turn_server.c ++++ b/src/server/ns_turn_server.c +@@ -4534,6 +4534,12 @@ static int read_client_connection(turn_turnserver *server, + SOCKET_TYPE st = get_ioa_socket_type(ss->client_socket); + if(is_stream_socket(st)) { + if(is_http((char*)ioa_network_buffer_data(in_buffer->nbh), ioa_network_buffer_get_size(in_buffer->nbh))) { ++ ++ TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "HTTPS connection has been disabled due Vulnerability in the Web interface !!!\n", __FUNCTION__); ++ ss->to_be_closed = 1; ++ return 0; ++ ++ + const char *proto = "HTTP"; + ioa_network_buffer_data(in_buffer->nbh)[ioa_network_buffer_get_size(in_buffer->nbh)] = 0; + if(st==TLS_SOCKET) { diff -Nru coturn-4.5.0.3/debian/patches/0002-Disable-loopback-peers-due-Vulnerability.patch coturn-4.5.0.3/debian/patches/0002-Disable-loopback-peers-due-Vulnerability.patch --- coturn-4.5.0.3/debian/patches/0002-Disable-loopback-peers-due-Vulnerability.patch 1970-01-01 00:00:00.000000000 +0000 +++ coturn-4.5.0.3/debian/patches/0002-Disable-loopback-peers-due-Vulnerability.patch 2019-02-08 18:55:01.000000000 +0000 @@ -0,0 +1,21 @@ +From: =?utf-8?b?TcOpc3rDoXJvcyBNaWjDoWx5?= +Date: Thu, 10 Jan 2019 10:00:36 +0100 +Subject: Disable loopback peers due Vulnerability. + +--- + src/apps/relay/mainrelay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c +index 28a9152..7f24c8c 100644 +--- a/src/apps/relay/mainrelay.c ++++ b/src/apps/relay/mainrelay.c +@@ -113,7 +113,7 @@ DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,1, + NEV_UNKNOWN, + { "Unknown", "UDP listening socket per session", "UDP thread per network endpoint", "UDP thread per CPU core" }, + //////////////// Relay servers ////////////////////////////////// +-LOW_DEFAULT_PORTS_BOUNDARY,HIGH_DEFAULT_PORTS_BOUNDARY,0,0,0,"", ++LOW_DEFAULT_PORTS_BOUNDARY,HIGH_DEFAULT_PORTS_BOUNDARY,0,0,1,"", + 0,NULL,0,NULL,DEFAULT_GENERAL_RELAY_SERVERS_NUMBER,0, + ////////////// Auth server ///////////////////////////////////// + "","",0, diff -Nru coturn-4.5.0.3/debian/patches/0003-empty-cli-password-not-allowed-disable-telnet-cli.patch coturn-4.5.0.3/debian/patches/0003-empty-cli-password-not-allowed-disable-telnet-cli.patch --- coturn-4.5.0.3/debian/patches/0003-empty-cli-password-not-allowed-disable-telnet-cli.patch 1970-01-01 00:00:00.000000000 +0000 +++ coturn-4.5.0.3/debian/patches/0003-empty-cli-password-not-allowed-disable-telnet-cli.patch 2019-02-08 18:55:01.000000000 +0000 @@ -0,0 +1,25 @@ +From: =?utf-8?b?TcOpc3rDoXJvcyBNaWjDoWx5?= +Date: Thu, 14 Dec 2017 13:01:56 +0100 +Subject: empty cli-password not allowed=>disable telnet cli + +Adds a warning to set a cli-password and disable telnet cli interface. +--- + src/apps/relay/mainrelay.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c +index 7f24c8c..2e57217 100644 +--- a/src/apps/relay/mainrelay.c ++++ b/src/apps/relay/mainrelay.c +@@ -1977,6 +1977,11 @@ int main(int argc, char **argv) + exit(-1); + } + ++ if(cli_password[0]==0) { ++ TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!\n"); ++ use_cli = 0; ++ } ++ + if(!use_lt_credentials && !anon_credentials) { + if(turn_params.default_users_db.ram_db.users_number) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "\nCONFIGURATION ALERT: you specified long-term user accounts, (-u option) \n but you did not specify the long-term credentials option\n (-a or --lt-cred-mech option).\n I am turning --lt-cred-mech ON for you, but double-check your configuration.\n"); diff -Nru coturn-4.5.0.3/debian/patches/CVE-2020-26262.patch coturn-4.5.0.3/debian/patches/CVE-2020-26262.patch --- coturn-4.5.0.3/debian/patches/CVE-2020-26262.patch 1970-01-01 00:00:00.000000000 +0000 +++ coturn-4.5.0.3/debian/patches/CVE-2020-26262.patch 2021-01-06 14:03:24.000000000 +0000 @@ -0,0 +1,77 @@ +From: Sandro Gauci +Date: Mon, 30 Nov 2020 14:02:35 +0100 +Subject: Fix-CVE-2020-26262-Enable-Security + +--- + src/client/ns_turn_ioaddr.c | 29 +++++++++++++++++++++++++++-- + src/client/ns_turn_ioaddr.h | 1 + + src/server/ns_turn_server.c | 2 ++ + 3 files changed, 30 insertions(+), 2 deletions(-) + +--- coturn-4.5.0.3.orig/src/client/ns_turn_ioaddr.c ++++ coturn-4.5.0.3/src/client/ns_turn_ioaddr.c +@@ -485,9 +485,9 @@ int ioa_addr_is_loopback(ioa_addr *addr) + return (u[0] == 127); + } else if(addr->ss.sa_family == AF_INET6) { + const u08bits *u = ((const u08bits*)&(addr->s6.sin6_addr)); +- if(u[7] == 1) { ++ if(u[15] == 1) { + int i; +- for(i=0;i<7;++i) { ++ for(i=0;i<15;++i) { + if(u[i]) + return 0; + } +@@ -496,6 +496,31 @@ int ioa_addr_is_loopback(ioa_addr *addr) + } + } + return 0; ++} ++ ++/* ++To avoid a vulnerability this function checks whether the addr is in 0.0.0.0/8 or ::/128. ++Source from (INADDR_ANY) 0.0.0.0/32 and (in6addr_any) ::/128 routed to loopback on Linux systems for old BSD backward compatibility. ++https://github.com/torvalds/linux/blob/a2f5ea9e314ba6778f885c805c921e9362ec0420/net/ipv6/tcp_ipv6.c#L182 ++To avoid any trouble we match the whole 0.0.0.0/8 that defined in RFC6890 as local network "this". ++*/ ++int ioa_addr_is_zero(ioa_addr *addr) ++{ ++ if(addr) { ++ if(addr->ss.sa_family == AF_INET) { ++ const uint8_t *u = ((const uint8_t*)&(addr->s4.sin_addr)); ++ return (u[0] == 0); ++ } else if(addr->ss.sa_family == AF_INET6) { ++ const uint8_t *u = ((const uint8_t*)&(addr->s6.sin6_addr)); ++ int i; ++ for(i=0;i<=15;++i) { ++ if(u[i]) ++ return 0; ++ } ++ return 1; ++ } ++ } ++ return 0; + } + + /////// Map "public" address to "private" address ////////////// +--- coturn-4.5.0.3.orig/src/client/ns_turn_ioaddr.h ++++ coturn-4.5.0.3/src/client/ns_turn_ioaddr.h +@@ -89,6 +89,7 @@ void ioa_addr_range_cpy(ioa_addr_range* + + int ioa_addr_is_multicast(ioa_addr *a); + int ioa_addr_is_loopback(ioa_addr *addr); ++int ioa_addr_is_zero(ioa_addr *addr); + + /////// Map "public" address to "private" address ////////////// + +--- coturn-4.5.0.3.orig/src/server/ns_turn_server.c ++++ coturn-4.5.0.3/src/server/ns_turn_server.c +@@ -259,6 +259,8 @@ static int good_peer_addr(turn_turnserve + return 0; + if(*(server->no_loopback_peers) && ioa_addr_is_loopback(peer_addr)) + return 0; ++ if (ioa_addr_is_zero(peer_addr)) ++ return 0; + + { + int i; diff -Nru coturn-4.5.0.3/debian/patches/CVE-2020-4067.patch coturn-4.5.0.3/debian/patches/CVE-2020-4067.patch --- coturn-4.5.0.3/debian/patches/CVE-2020-4067.patch 1970-01-01 00:00:00.000000000 +0000 +++ coturn-4.5.0.3/debian/patches/CVE-2020-4067.patch 2020-07-02 15:51:10.000000000 +0000 @@ -0,0 +1,34 @@ +From fc1e0732069e95f2de3cf1a22d15c44bbd3cfaae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= +Date: Mon, 22 Jun 2020 00:08:12 +0200 +Subject: [PATCH 1/2] init with zero any new or reused stun buffers + +[Salvatore Bonaccorso: backport to 4.5.1.1: Use consistently ns_bzero as it +does not yet contain the upstream change 7a43aae7c3e1 ("Remove ns_bzero(), +ns_bcopy(), and ns_bcmp()"). Adjust for context changes.] +--- + src/apps/relay/ns_ioalib_engine_impl.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/src/apps/relay/ns_ioalib_engine_impl.c ++++ b/src/apps/relay/ns_ioalib_engine_impl.c +@@ -293,10 +293,19 @@ static stun_buffer_list_elem *new_blist_ + + if(!ret) { + ret = (stun_buffer_list_elem *)turn_malloc(sizeof(stun_buffer_list_elem)); ++ /* init ns_bzero below will solve all of these in one step + ret->buf.len = 0; + ret->buf.offset = 0; + ret->buf.coffset = 0; ++ */ + ret->next = NULL; ++ if (!ret) { ++ TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: Cannot allocate memory for STUN buffer!\n", __FUNCTION__); ++ } ++ } ++ ++ if(ret) { ++ ns_bzero(&ret->buf, sizeof(stun_buffer)); + } + + return ret; diff -Nru coturn-4.5.0.3/debian/patches/CVE-2020-6061.patch coturn-4.5.0.3/debian/patches/CVE-2020-6061.patch --- coturn-4.5.0.3/debian/patches/CVE-2020-6061.patch 1970-01-01 00:00:00.000000000 +0000 +++ coturn-4.5.0.3/debian/patches/CVE-2020-6061.patch 2020-07-02 15:51:00.000000000 +0000 @@ -0,0 +1,28 @@ +From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= +Date: Mon, 17 Feb 2020 10:34:56 +0100 +Subject: Fix: CVE-2020-6061/TALOS-2020-0984 +Origin: https://github.com/coturn/coturn/commit/51a7c2b9bf924890c7a3ff4db9c4976c5a93340a +Bug: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0984 +Bug-Debian: https://bugs.debian.org/951876 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-6061 + +--- + src/apps/relay/http_server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/apps/relay/http_server.c b/src/apps/relay/http_server.c +index 573af49b5ce9..1126b49c1526 100644 +--- a/src/apps/relay/http_server.c ++++ b/src/apps/relay/http_server.c +@@ -103,7 +103,7 @@ const char* get_http_date_header() + + static struct headers_list * post_parse(char *data, size_t data_len) + { +- while((*data=='\r')||(*data=='\n')) ++data; ++ while((*data=='\r')||(*data=='\n')) { ++data; --data_len; } + char *post_data = (char*)calloc(data_len + 1, sizeof(char)); + memcpy(post_data, data, data_len); + char *fmarker = NULL; +-- +2.27.0 + diff -Nru coturn-4.5.0.3/debian/patches/CVE-2020-6062.patch coturn-4.5.0.3/debian/patches/CVE-2020-6062.patch --- coturn-4.5.0.3/debian/patches/CVE-2020-6062.patch 1970-01-01 00:00:00.000000000 +0000 +++ coturn-4.5.0.3/debian/patches/CVE-2020-6062.patch 2020-07-02 15:51:06.000000000 +0000 @@ -0,0 +1,89 @@ +From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= +Date: Tue, 18 Feb 2020 12:31:38 +0100 +Subject: Fix: CVE-2020-6062 / TALOS-2020-0985 +Origin: https://github.com/coturn/coturn/commit/e09bcd9f7af5b32c81b37f51835b384b5a7d03a8 +Bug: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0985 +Bug-Debian: https://bugs.debian.org/951876 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-6062 + +[Salvatore Bonaccorso: backport to 4.5.1.1: Use consistently ns_bzero as it +does not yet contain the upstream change 7a43aae7c3e1 ("Remove ns_bzero(), +ns_bcopy(), and ns_bcmp()")] +--- + src/apps/relay/http_server.c | 63 ++++++++++++++++++++---------------- + 1 file changed, 36 insertions(+), 27 deletions(-) + +--- a/src/apps/relay/http_server.c ++++ b/src/apps/relay/http_server.c +@@ -104,35 +104,44 @@ const char* get_http_date_header() + static struct headers_list * post_parse(char *data, size_t data_len) + { + while((*data=='\r')||(*data=='\n')) { ++data; --data_len; } +- char *post_data = (char*)calloc(data_len + 1, sizeof(char)); +- memcpy(post_data, data, data_len); +- char *fmarker = NULL; +- char *fsplit = strtok_r(post_data, "&", &fmarker); +- struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list)); +- ns_bzero(list,sizeof(struct headers_list)); +- while (fsplit != NULL) { +- char *vmarker = NULL; +- char *key = strtok_r(fsplit, "=", &vmarker); +- char *value = strtok_r(NULL, "=", &vmarker); +- char empty[1]; +- empty[0]=0; +- value = value ? value : empty; +- value = evhttp_decode_uri(value); +- char *p = value; +- while (*p) { +- if (*p == '+') +- *p = ' '; +- p++; ++ if (data_len) { ++ char *post_data = (char*)calloc(data_len + 1, sizeof(char)); ++ if (post_data != NULL) { ++ memcpy(post_data, data, data_len); ++ char *fmarker = NULL; ++ char *fsplit = strtok_r(post_data, "&", &fmarker); ++ struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list)); ++ ns_bzero(list,sizeof(struct headers_list)); ++ while (fsplit != NULL) { ++ char *vmarker = NULL; ++ char *key = strtok_r(fsplit, "=", &vmarker); ++ if (key == NULL) ++ break; ++ else { ++ char *value = strtok_r(NULL, "=", &vmarker); ++ char empty[1]; ++ empty[0]=0; ++ value = value ? value : empty; ++ value = evhttp_decode_uri(value); ++ char *p = value; ++ while (*p) { ++ if (*p == '+') ++ *p = ' '; ++ p++; ++ } ++ list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1)); ++ list->keys[list->n] = strdup(key); ++ list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1)); ++ list->values[list->n] = value; ++ ++(list->n); ++ fsplit = strtok_r(NULL, "&", &fmarker); ++ } ++ } ++ free(post_data); ++ return list; + } +- list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1)); +- list->keys[list->n] = strdup(key); +- list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1)); +- list->values[list->n] = value; +- ++(list->n); +- fsplit = strtok_r(NULL, "&", &fmarker); + } +- free(post_data); +- return list; ++ return NULL; + } + + static struct http_request* parse_http_request_1(struct http_request* ret, char* request, int parse_post) diff -Nru coturn-4.5.0.3/debian/patches/series coturn-4.5.0.3/debian/patches/series --- coturn-4.5.0.3/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ coturn-4.5.0.3/debian/patches/series 2021-01-06 14:03:24.000000000 +0000 @@ -0,0 +1,7 @@ +0001-Disable-Web-admin-interface-due-Security-Vulnerabili.patch +0002-Disable-loopback-peers-due-Vulnerability.patch +0003-empty-cli-password-not-allowed-disable-telnet-cli.patch +CVE-2020-6061.patch +CVE-2020-6062.patch +CVE-2020-4067.patch +CVE-2020-26262.patch diff -Nru coturn-4.5.0.3/debian/rules coturn-4.5.0.3/debian/rules --- coturn-4.5.0.3/debian/rules 2014-11-23 21:47:15.000000000 +0000 +++ coturn-4.5.0.3/debian/rules 2019-02-14 17:36:08.000000000 +0000 @@ -3,6 +3,7 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk +DEB_BUILD_ARCH ?= $(shell dpkg-architecture -qDEB_BUILD_ARCH) # Uncomment this to turn on verbose mode. export DH_VERBOSE=1 @@ -16,5 +17,9 @@ override_dh_auto_configure: dh_auto_configure -- --disable-rpath --turndbdir=/var/lib/turn +ifeq ($(DEB_BUILD_ARCH), $(filter $(DEB_BUILD_ARCH), armhf)) +override_dh_auto_test: +endif + %: dh $@ --builddirectory=.