Import Debian changes 4.5.1.1-1.1+deb10u1

coturn (4.5.1.1-1.1+deb10u1) buster-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * specially crafted HTTP POST request can lead to heap overflow which can
    result in information leak (CVE-2020-6061) (Closes: #951876)
  * specially crafted HTTP POST request can lead to server crash and denial of
    service (CVE-2020-6062) (Closes: #951876)
  * init with zero any new or reused stun buffers (CVE-2020-4067)

debian/changelog

@@ -1,3 +1,14 @@
+coturn (4.5.1.1-1.1+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * specially crafted HTTP POST request can lead to heap overflow which can
+    result in information leak (CVE-2020-6061) (Closes: #951876)
+  * specially crafted HTTP POST request can lead to server crash and denial of
+    service (CVE-2020-6062) (Closes: #951876)
+  * init with zero any new or reused stun buffers (CVE-2020-4067)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 26 Jun 2020 10:49:56 +0200
+
 coturn (4.5.1.1-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.

debian/control

@@ -18,8 +18,8 @@ Build-Depends: debhelper (>=11.0.0),
                sqlite3
 Standards-Version: 4.3.0
 Homepage: https://github.com/coturn/coturn/
-Vcs-Git: https://github.com/coturn/coturn.git -b debian/master
-Vcs-Browser: https://github.com/coturn/coturn/tree/debian/master
+Vcs-Git: https://github.com/coturn/coturn.git -b debian/sid
+Vcs-Browser: https://github.com/coturn/coturn/tree/debian/sid
 
 Package: coturn
 Architecture: any

debian/gbp.conf

@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/buster
+debian-branch = debian/master
 upstream-branch = upstream/latest
 pristine-tar = True
 

debian/patches/Fix-CVE-2020-6061-TALOS-2020-0984.patch

@@ -0,0 +1,28 @@
+From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= <misi@majd.eu>
+Date: Mon, 17 Feb 2020 10:34:56 +0100
+Subject: Fix: CVE-2020-6061/TALOS-2020-0984
+Origin: https://github.com/coturn/coturn/commit/51a7c2b9bf924890c7a3ff4db9c4976c5a93340a
+Bug: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0984
+Bug-Debian: https://bugs.debian.org/951876
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-6061
+
+---
+ src/apps/relay/http_server.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/apps/relay/http_server.c b/src/apps/relay/http_server.c
+index 573af49b5ce9..1126b49c1526 100644
+--- a/src/apps/relay/http_server.c
++++ b/src/apps/relay/http_server.c
+@@ -103,7 +103,7 @@ const char* get_http_date_header()
+ 
+ static struct headers_list * post_parse(char *data, size_t data_len)
+ {
+-	while((*data=='\r')||(*data=='\n')) ++data;
++	while((*data=='\r')||(*data=='\n')) { ++data; --data_len; }
+ 	char *post_data = (char*)calloc(data_len + 1, sizeof(char));
+ 	memcpy(post_data, data, data_len);
+ 	char *fmarker = NULL;
+-- 
+2.27.0
+

debian/patches/Fix-CVE-2020-6062-TALOS-2020-0985.patch

@@ -0,0 +1,89 @@
+From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= <misi@majd.eu>
+Date: Tue, 18 Feb 2020 12:31:38 +0100
+Subject: Fix: CVE-2020-6062 / TALOS-2020-0985
+Origin: https://github.com/coturn/coturn/commit/e09bcd9f7af5b32c81b37f51835b384b5a7d03a8
+Bug: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0985
+Bug-Debian: https://bugs.debian.org/951876
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-6062
+
+[Salvatore Bonaccorso: backport to 4.5.1.1: Use consistently ns_bzero as it
+does not yet contain the upstream change 7a43aae7c3e1 ("Remove ns_bzero(),
+ns_bcopy(), and ns_bcmp()")]
+---
+ src/apps/relay/http_server.c | 63 ++++++++++++++++++++----------------
+ 1 file changed, 36 insertions(+), 27 deletions(-)
+
+--- a/src/apps/relay/http_server.c
++++ b/src/apps/relay/http_server.c
+@@ -104,35 +104,44 @@ const char* get_http_date_header()
+ static struct headers_list * post_parse(char *data, size_t data_len)
+ {
+ 	while((*data=='\r')||(*data=='\n')) { ++data; --data_len; }
+-	char *post_data = (char*)calloc(data_len + 1, sizeof(char));
+-	memcpy(post_data, data, data_len);
+-	char *fmarker = NULL;
+-	char *fsplit = strtok_r(post_data, "&", &fmarker);
+-	struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list));
+-	ns_bzero(list,sizeof(struct headers_list));
+-	while (fsplit != NULL) {
+-		char *vmarker = NULL;
+-		char *key = strtok_r(fsplit, "=", &vmarker);
+-		char *value = strtok_r(NULL, "=", &vmarker);
+-		char empty[1];
+-		empty[0]=0;
+-		value = value ? value : empty;
+-		value = evhttp_decode_uri(value);
+-		char *p = value;
+-		while (*p) {
+-			if (*p == '+')
+-				*p = ' ';
+-			p++;
++	if (data_len) {
++		char *post_data = (char*)calloc(data_len + 1, sizeof(char));
++		if (post_data != NULL) {
++			memcpy(post_data, data, data_len);
++			char *fmarker = NULL;
++			char *fsplit = strtok_r(post_data, "&", &fmarker);
++			struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list));
++			ns_bzero(list,sizeof(struct headers_list));
++			while (fsplit != NULL) {
++				char *vmarker = NULL;
++				char *key = strtok_r(fsplit, "=", &vmarker);
++				if (key == NULL)
++					break;
++				else {
++					char *value = strtok_r(NULL, "=", &vmarker);
++					char empty[1];
++					empty[0]=0;
++					value = value ? value : empty;
++					value = evhttp_decode_uri(value);
++					char *p = value;
++					while (*p) {
++						if (*p == '+')
++							*p = ' ';
++						p++;
++					}
++					list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1));
++					list->keys[list->n] = strdup(key);
++					list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1));
++					list->values[list->n] = value;
++					++(list->n);
++					fsplit = strtok_r(NULL, "&", &fmarker);
++				}
++			}
++			free(post_data);
++			return list;
+ 		}
+-		list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1));
+-		list->keys[list->n] = strdup(key);
+-		list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1));
+-		list->values[list->n] = value;
+-		++(list->n);
+-		fsplit = strtok_r(NULL, "&", &fmarker);
+ 	}
+-	free(post_data);
+-	return list;
++	return NULL;
+ }
+ 
+ static struct http_request* parse_http_request_1(struct http_request* ret, char* request, int parse_post)

debian/patches/init-with-zero-any-new-or-reused-stun-buffers.patch

@@ -0,0 +1,34 @@
+From fc1e0732069e95f2de3cf1a22d15c44bbd3cfaae Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= <misi@majd.eu>
+Date: Mon, 22 Jun 2020 00:08:12 +0200
+Subject: [PATCH 1/2] init with zero any new or reused stun buffers
+
+[Salvatore Bonaccorso: backport to 4.5.1.1: Use consistently ns_bzero as it
+does not yet contain the upstream change 7a43aae7c3e1 ("Remove ns_bzero(),
+ns_bcopy(), and ns_bcmp()"). Adjust for context changes.]
+---
+ src/apps/relay/ns_ioalib_engine_impl.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/src/apps/relay/ns_ioalib_engine_impl.c
++++ b/src/apps/relay/ns_ioalib_engine_impl.c
+@@ -293,10 +293,19 @@ static stun_buffer_list_elem *new_blist_
+ 
+ 	if(!ret) {
+ 	  ret = (stun_buffer_list_elem *)turn_malloc(sizeof(stun_buffer_list_elem));
++	  /* init ns_bzero below will solve all of these in one step
+ 	  ret->buf.len = 0;
+ 	  ret->buf.offset = 0;
+ 	  ret->buf.coffset = 0;
++	  */
+ 	  ret->next = NULL;
++	  if (!ret) {
++		TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: Cannot allocate memory for STUN buffer!\n", __FUNCTION__);
++	  }
++	}
++
++	if(ret) {
++	  ns_bzero(&ret->buf, sizeof(stun_buffer));
+ 	}
+ 
+ 	return ret;

debian/patches/series

@@ -1 +1,4 @@
 Set-logging-to-syslog.patch
+Fix-CVE-2020-6061-TALOS-2020-0984.patch
+Fix-CVE-2020-6062-TALOS-2020-0985.patch
+init-with-zero-any-new-or-reused-stun-buffers.patch