Bug 26879

Summary: coturn new security issue CVE-2020-4067
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, mitya, nicolas.salguero, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: coturn-4.5.0.7-2.3.mga7.src.rpm CVE: CVE-2020-4067
Status comment:

Description David Walser 2020-07-01 20:51:16 CEST 
Debian has issued an advisory on June 29:
https://www.debian.org/security/2020/dsa-4711

The issue is fixed upstream in 4.5.1.3.

Mageia 7 is also affected.
David Walser 2020-07-01 20:52:16 CEST

Status comment: (none) => Fixed upstream in 4.5.1.3
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-07-01 21:40:24 CEST 
This SRPM has been maintained by various packagers, so assigning this globally.
CC'ing the last registered maintainer mitya/Dimitri in case he wants to come back on board.

CC: (none) => mitya
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2020-07-07 10:37:24 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. (CVE-2020-4067)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4067
https://www.debian.org/security/2020/dsa-4711
========================

Updated package in core/updates_testing:
========================
coturn-4.5.0.7-2.4.mga7

from SRPM:
coturn-4.5.0.7-2.4.mga7.src.rpm

Status comment: Fixed upstream in 4.5.1.3 => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2020-4067
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Source RPM: coturn-4.5.1.2-1.mga8.src.rpm => coturn-4.5.0.7-2.3.mga7.src.rpm

Comment 3 Herman Viaene 2020-07-08 14:29:51 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 26413 for testing
# systemctl -l status turnserver
● turnserver.service - coturn
   Loaded: loaded (/usr/lib/systemd/system/turnserver.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:coturn(1)
           man:turnadmin(1)
           man:turnserver(1)

Jul 08 14:17:20 mach5.hviaene.thuis systemd[1]: /usr/lib/systemd/system/turnserver.service:10: PIDFile= references path below>

# systemctl start turnserver

# systemctl -l status turnserver
● turnserver.service - coturn
   Loaded: loaded (/usr/lib/systemd/system/turnserver.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-07-08 14:17:47 CEST; 3s ago
     Docs: man:coturn(1)
           man:turnadmin(1)
           man:turnserver(1)
  Process: 29861 ExecStart=/usr/bin/turnserver -o -c /etc/turnserver/turnserver.conf $EXTRA_OPTIONS (code=exited, status=0/SU>
 Main PID: 29862 (turnserver)
    Tasks: 9 (limit: 4915)
   Memory: 5.2M
   CGroup: /system.slice/turnserver.service
           └─29862 /usr/bin/turnserver -o -c /etc/turnserver/turnserver.conf

Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: turn server id=1 created
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: IO method (general relay thread): epoll (with changelist)
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: turn server id=3 created
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: IO method (general relay thread): epoll (with changelist)
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: turn server id=2 created
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: Total General servers: 4
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: IO method (auth thread): epoll (with changelist)
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: IO method (auth thread): epoll (with changelist)
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: IO method (admin thread): epoll (with changelist)
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: SQLite DB connection success: /var/db/turndb

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2020-07-08 14:37:26 CEST 
No other machine available so testing locally:
$ netstat -nl | grep 3478
tcp        0      0 192.168.2.5:3478        0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:3478          0.0.0.0:*               LISTEN     
tcp6       0      0 ::1:3478                :::*                    LISTEN     
sctp                ::1:3478                                        LISTEN     
sctp                ::1:3478                                        LISTEN     
sctp                ::1:3478                                        LISTEN     
sctp                ::1:3478                                        LISTEN     
sctp                192.168.2.5:3478                                LISTEN     
sctp                192.168.2.5:3478                                LISTEN     
sctp                192.168.2.5:3478                                LISTEN     
sctp                192.168.2.5:3478                                LISTEN     
sctp                127.0.0.1:3478                                  LISTEN     
sctp                127.0.0.1:3478                                  LISTEN     
sctp                127.0.0.1:3478                                  LISTEN     
sctp                127.0.0.1:3478                                  LISTEN     
udp        0      0 192.168.2.5:3478        0.0.0.0:*                          
udp        0      0 192.168.2.5:3478        0.0.0.0:*                          
udp        0      0 192.168.2.5:3478        0.0.0.0:*                          
udp        0      0 192.168.2.5:3478        0.0.0.0:*                          
udp        0      0 127.0.0.1:3478          0.0.0.0:*                          
udp        0      0 127.0.0.1:3478          0.0.0.0:*                          
udp        0      0 127.0.0.1:3478          0.0.0.0:*                          
udp        0      0 127.0.0.1:3478          0.0.0.0:*                          
udp6       0      0 ::1:3478                :::*                               
udp6       0      0 ::1:3478                :::*                               
udp6       0      0 ::1:3478                :::*                               
udp6       0      0 ::1:3478                :::*                               
[tester7@mach5 ~]$ telnet 192.168.2.5 3478
Trying 192.168.2.5...
Connected to mach5.hviaene.thuis (192.168.2.5).
Escape character is '^]'.

Looks OK to me

Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-07-08 21:02:24 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Nicolas Lécureuil 2020-07-09 17:37:56 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 6 Mageia Robot 2020-07-10 10:02:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0287.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED