diff --git a/debian/changelog b/debian/changelog index 04b20073..46b2b503 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +coturn (4.5.1.1-1.1+deb10u1) buster-security; urgency=high + + * Non-maintainer upload by the Security Team. + * specially crafted HTTP POST request can lead to heap overflow which can + result in information leak (CVE-2020-6061) (Closes: #951876) + * specially crafted HTTP POST request can lead to server crash and denial of + service (CVE-2020-6062) (Closes: #951876) + * init with zero any new or reused stun buffers (CVE-2020-4067) + + -- Salvatore Bonaccorso Fri, 26 Jun 2020 10:49:56 +0200 + coturn (4.5.1.1-1.1) unstable; urgency=medium * Non-maintainer upload. diff --git a/debian/control b/debian/control index 92f30c97..fa0cd909 100644 --- a/debian/control +++ b/debian/control @@ -18,8 +18,8 @@ Build-Depends: debhelper (>=11.0.0), sqlite3 Standards-Version: 4.3.0 Homepage: https://github.com/coturn/coturn/ -Vcs-Git: https://github.com/coturn/coturn.git -b debian/master -Vcs-Browser: https://github.com/coturn/coturn/tree/debian/master +Vcs-Git: https://github.com/coturn/coturn.git -b debian/sid +Vcs-Browser: https://github.com/coturn/coturn/tree/debian/sid Package: coturn Architecture: any diff --git a/debian/gbp.conf b/debian/gbp.conf index 6aed566c..3045a1ce 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/buster +debian-branch = debian/master upstream-branch = upstream/latest pristine-tar = True diff --git a/debian/patches/Fix-CVE-2020-6061-TALOS-2020-0984.patch b/debian/patches/Fix-CVE-2020-6061-TALOS-2020-0984.patch new file mode 100644 index 00000000..bf4287cf --- /dev/null +++ b/debian/patches/Fix-CVE-2020-6061-TALOS-2020-0984.patch @@ -0,0 +1,28 @@ +From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= +Date: Mon, 17 Feb 2020 10:34:56 +0100 +Subject: Fix: CVE-2020-6061/TALOS-2020-0984 +Origin: https://github.com/coturn/coturn/commit/51a7c2b9bf924890c7a3ff4db9c4976c5a93340a +Bug: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0984 +Bug-Debian: https://bugs.debian.org/951876 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-6061 + +--- + src/apps/relay/http_server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/apps/relay/http_server.c b/src/apps/relay/http_server.c +index 573af49b5ce9..1126b49c1526 100644 +--- a/src/apps/relay/http_server.c ++++ b/src/apps/relay/http_server.c +@@ -103,7 +103,7 @@ const char* get_http_date_header() + + static struct headers_list * post_parse(char *data, size_t data_len) + { +- while((*data=='\r')||(*data=='\n')) ++data; ++ while((*data=='\r')||(*data=='\n')) { ++data; --data_len; } + char *post_data = (char*)calloc(data_len + 1, sizeof(char)); + memcpy(post_data, data, data_len); + char *fmarker = NULL; +-- +2.27.0 + diff --git a/debian/patches/Fix-CVE-2020-6062-TALOS-2020-0985.patch b/debian/patches/Fix-CVE-2020-6062-TALOS-2020-0985.patch new file mode 100644 index 00000000..455c4979 --- /dev/null +++ b/debian/patches/Fix-CVE-2020-6062-TALOS-2020-0985.patch @@ -0,0 +1,89 @@ +From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= +Date: Tue, 18 Feb 2020 12:31:38 +0100 +Subject: Fix: CVE-2020-6062 / TALOS-2020-0985 +Origin: https://github.com/coturn/coturn/commit/e09bcd9f7af5b32c81b37f51835b384b5a7d03a8 +Bug: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0985 +Bug-Debian: https://bugs.debian.org/951876 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-6062 + +[Salvatore Bonaccorso: backport to 4.5.1.1: Use consistently ns_bzero as it +does not yet contain the upstream change 7a43aae7c3e1 ("Remove ns_bzero(), +ns_bcopy(), and ns_bcmp()")] +--- + src/apps/relay/http_server.c | 63 ++++++++++++++++++++---------------- + 1 file changed, 36 insertions(+), 27 deletions(-) + +--- a/src/apps/relay/http_server.c ++++ b/src/apps/relay/http_server.c +@@ -104,35 +104,44 @@ const char* get_http_date_header() + static struct headers_list * post_parse(char *data, size_t data_len) + { + while((*data=='\r')||(*data=='\n')) { ++data; --data_len; } +- char *post_data = (char*)calloc(data_len + 1, sizeof(char)); +- memcpy(post_data, data, data_len); +- char *fmarker = NULL; +- char *fsplit = strtok_r(post_data, "&", &fmarker); +- struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list)); +- ns_bzero(list,sizeof(struct headers_list)); +- while (fsplit != NULL) { +- char *vmarker = NULL; +- char *key = strtok_r(fsplit, "=", &vmarker); +- char *value = strtok_r(NULL, "=", &vmarker); +- char empty[1]; +- empty[0]=0; +- value = value ? value : empty; +- value = evhttp_decode_uri(value); +- char *p = value; +- while (*p) { +- if (*p == '+') +- *p = ' '; +- p++; ++ if (data_len) { ++ char *post_data = (char*)calloc(data_len + 1, sizeof(char)); ++ if (post_data != NULL) { ++ memcpy(post_data, data, data_len); ++ char *fmarker = NULL; ++ char *fsplit = strtok_r(post_data, "&", &fmarker); ++ struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list)); ++ ns_bzero(list,sizeof(struct headers_list)); ++ while (fsplit != NULL) { ++ char *vmarker = NULL; ++ char *key = strtok_r(fsplit, "=", &vmarker); ++ if (key == NULL) ++ break; ++ else { ++ char *value = strtok_r(NULL, "=", &vmarker); ++ char empty[1]; ++ empty[0]=0; ++ value = value ? value : empty; ++ value = evhttp_decode_uri(value); ++ char *p = value; ++ while (*p) { ++ if (*p == '+') ++ *p = ' '; ++ p++; ++ } ++ list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1)); ++ list->keys[list->n] = strdup(key); ++ list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1)); ++ list->values[list->n] = value; ++ ++(list->n); ++ fsplit = strtok_r(NULL, "&", &fmarker); ++ } ++ } ++ free(post_data); ++ return list; + } +- list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1)); +- list->keys[list->n] = strdup(key); +- list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1)); +- list->values[list->n] = value; +- ++(list->n); +- fsplit = strtok_r(NULL, "&", &fmarker); + } +- free(post_data); +- return list; ++ return NULL; + } + + static struct http_request* parse_http_request_1(struct http_request* ret, char* request, int parse_post) diff --git a/debian/patches/init-with-zero-any-new-or-reused-stun-buffers.patch b/debian/patches/init-with-zero-any-new-or-reused-stun-buffers.patch new file mode 100644 index 00000000..c3974b1b --- /dev/null +++ b/debian/patches/init-with-zero-any-new-or-reused-stun-buffers.patch @@ -0,0 +1,34 @@ +From fc1e0732069e95f2de3cf1a22d15c44bbd3cfaae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= +Date: Mon, 22 Jun 2020 00:08:12 +0200 +Subject: [PATCH 1/2] init with zero any new or reused stun buffers + +[Salvatore Bonaccorso: backport to 4.5.1.1: Use consistently ns_bzero as it +does not yet contain the upstream change 7a43aae7c3e1 ("Remove ns_bzero(), +ns_bcopy(), and ns_bcmp()"). Adjust for context changes.] +--- + src/apps/relay/ns_ioalib_engine_impl.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/src/apps/relay/ns_ioalib_engine_impl.c ++++ b/src/apps/relay/ns_ioalib_engine_impl.c +@@ -293,10 +293,19 @@ static stun_buffer_list_elem *new_blist_ + + if(!ret) { + ret = (stun_buffer_list_elem *)turn_malloc(sizeof(stun_buffer_list_elem)); ++ /* init ns_bzero below will solve all of these in one step + ret->buf.len = 0; + ret->buf.offset = 0; + ret->buf.coffset = 0; ++ */ + ret->next = NULL; ++ if (!ret) { ++ TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: Cannot allocate memory for STUN buffer!\n", __FUNCTION__); ++ } ++ } ++ ++ if(ret) { ++ ns_bzero(&ret->buf, sizeof(stun_buffer)); + } + + return ret; diff --git a/debian/patches/series b/debian/patches/series index 29f53942..28a7dc19 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,4 @@ Set-logging-to-syslog.patch +Fix-CVE-2020-6061-TALOS-2020-0984.patch +Fix-CVE-2020-6062-TALOS-2020-0985.patch +init-with-zero-any-new-or-reused-stun-buffers.patch