diff -Nru coturn-4.5.0.3/debian/changelog coturn-4.5.0.3/debian/changelog --- coturn-4.5.0.3/debian/changelog 2020-07-02 15:51:17.000000000 +0000 +++ coturn-4.5.0.3/debian/changelog 2021-01-06 14:03:48.000000000 +0000 @@ -1,3 +1,12 @@ +coturn (4.5.0.3-1ubuntu0.4) xenial-security; urgency=medium + + * SECURITY UPDATE: Unsafe loopback interface + - debian/patches/CVE-2020-26262.patch: Add check if address is in + 0.0.0.0/8 or ::/128. + - CVE-2020-26262 + + -- Mészáros Mihály Mon, 14 Dec 2020 14:50:15 +0100 + coturn (4.5.0.3-1ubuntu0.3) xenial-security; urgency=medium * SECURITY UPDATE: Heap-buffer overflow in HTTP POST request diff -Nru coturn-4.5.0.3/debian/patches/CVE-2020-26262.patch coturn-4.5.0.3/debian/patches/CVE-2020-26262.patch --- coturn-4.5.0.3/debian/patches/CVE-2020-26262.patch 1970-01-01 00:00:00.000000000 +0000 +++ coturn-4.5.0.3/debian/patches/CVE-2020-26262.patch 2021-01-06 14:03:24.000000000 +0000 @@ -0,0 +1,77 @@ +From: Sandro Gauci +Date: Mon, 30 Nov 2020 14:02:35 +0100 +Subject: Fix-CVE-2020-26262-Enable-Security + +--- + src/client/ns_turn_ioaddr.c | 29 +++++++++++++++++++++++++++-- + src/client/ns_turn_ioaddr.h | 1 + + src/server/ns_turn_server.c | 2 ++ + 3 files changed, 30 insertions(+), 2 deletions(-) + +--- coturn-4.5.0.3.orig/src/client/ns_turn_ioaddr.c ++++ coturn-4.5.0.3/src/client/ns_turn_ioaddr.c +@@ -485,9 +485,9 @@ int ioa_addr_is_loopback(ioa_addr *addr) + return (u[0] == 127); + } else if(addr->ss.sa_family == AF_INET6) { + const u08bits *u = ((const u08bits*)&(addr->s6.sin6_addr)); +- if(u[7] == 1) { ++ if(u[15] == 1) { + int i; +- for(i=0;i<7;++i) { ++ for(i=0;i<15;++i) { + if(u[i]) + return 0; + } +@@ -496,6 +496,31 @@ int ioa_addr_is_loopback(ioa_addr *addr) + } + } + return 0; ++} ++ ++/* ++To avoid a vulnerability this function checks whether the addr is in 0.0.0.0/8 or ::/128. ++Source from (INADDR_ANY) 0.0.0.0/32 and (in6addr_any) ::/128 routed to loopback on Linux systems for old BSD backward compatibility. ++https://github.com/torvalds/linux/blob/a2f5ea9e314ba6778f885c805c921e9362ec0420/net/ipv6/tcp_ipv6.c#L182 ++To avoid any trouble we match the whole 0.0.0.0/8 that defined in RFC6890 as local network "this". ++*/ ++int ioa_addr_is_zero(ioa_addr *addr) ++{ ++ if(addr) { ++ if(addr->ss.sa_family == AF_INET) { ++ const uint8_t *u = ((const uint8_t*)&(addr->s4.sin_addr)); ++ return (u[0] == 0); ++ } else if(addr->ss.sa_family == AF_INET6) { ++ const uint8_t *u = ((const uint8_t*)&(addr->s6.sin6_addr)); ++ int i; ++ for(i=0;i<=15;++i) { ++ if(u[i]) ++ return 0; ++ } ++ return 1; ++ } ++ } ++ return 0; + } + + /////// Map "public" address to "private" address ////////////// +--- coturn-4.5.0.3.orig/src/client/ns_turn_ioaddr.h ++++ coturn-4.5.0.3/src/client/ns_turn_ioaddr.h +@@ -89,6 +89,7 @@ void ioa_addr_range_cpy(ioa_addr_range* + + int ioa_addr_is_multicast(ioa_addr *a); + int ioa_addr_is_loopback(ioa_addr *addr); ++int ioa_addr_is_zero(ioa_addr *addr); + + /////// Map "public" address to "private" address ////////////// + +--- coturn-4.5.0.3.orig/src/server/ns_turn_server.c ++++ coturn-4.5.0.3/src/server/ns_turn_server.c +@@ -259,6 +259,8 @@ static int good_peer_addr(turn_turnserve + return 0; + if(*(server->no_loopback_peers) && ioa_addr_is_loopback(peer_addr)) + return 0; ++ if (ioa_addr_is_zero(peer_addr)) ++ return 0; + + { + int i; diff -Nru coturn-4.5.0.3/debian/patches/series coturn-4.5.0.3/debian/patches/series --- coturn-4.5.0.3/debian/patches/series 2020-07-02 15:51:10.000000000 +0000 +++ coturn-4.5.0.3/debian/patches/series 2021-01-06 14:03:24.000000000 +0000 @@ -4,3 +4,4 @@ CVE-2020-6061.patch CVE-2020-6062.patch CVE-2020-4067.patch +CVE-2020-26262.patch