Bug 26413 - coturn new security issues CVE-2020-606[12]
Summary: coturn new security issues CVE-2020-606[12]
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2020-04-01 14:40 CEST by David Walser
Modified: 2020-05-30 23:58 CEST (History)
5 users (show)

See Also:
Source RPM: coturn-4.5.1.1-2.mga8.src.rpm
CVE:
Status comment:


Attachments
A patch for the RPM package (4.05 KB, patch)
2020-05-13 15:25 CEST, Elliot L
Details | Diff
A patch for the full RPM package instead of the source (5.11 KB, patch)
2020-05-13 15:34 CEST, Elliot L
Details | Diff
Svn diff with subrel (5.13 KB, patch)
2020-05-13 15:59 CEST, Elliot L
Details | Diff
Fixed formatting (5.12 KB, patch)
2020-05-13 16:09 CEST, Elliot L
Details | Diff
Accidentally used commit as patch, my bad (5.08 KB, patch)
2020-05-13 17:42 CEST, Elliot L
Details | Diff

Description David Walser 2020-04-01 14:40:04 CEST
Fedora has issued an advisory today (April 1):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XN2NK6FT7AMW5UIZNXDNHKEAYWAUMGSF/

Mageia 7 is also affected.

As the importer/maintainer of this package has disappeared on us again, we should probably drop it.
Comment 1 David Walser 2020-04-01 14:40:55 CEST
Patches available from this commit:
https://src.fedoraproject.org/rpms/coturn/c/d9dbecf09d39006f3918e5d372d7ca948269484a?branch=master

Status comment: (none) => Patches available from Fedora
Whiteboard: (none) => MGA7TOO

Comment 2 Elliot L 2020-05-13 15:25:42 CEST
Created attachment 11640 [details]
A patch for the RPM package

Patch adapted from Fedora, I do not have commit rights yet, so my mentor will likely submit it.

CC: (none) => CheeseEBoi

Comment 3 Elliot L 2020-05-13 15:34:10 CEST
Created attachment 11641 [details]
A patch for the full RPM package instead of the source

Sorry, I sent a patch for the software instead of just an "svn diff." This patch is an svn diff that can easily be applied to the package in Mageia 7 right now.

Attachment 11640 is obsolete: 0 => 1

Comment 4 Elliot L 2020-05-13 15:59:10 CEST
Created attachment 11642 [details]
Svn diff with subrel

Fixed versioning issue

Attachment 11641 is obsolete: 0 => 1

Comment 5 Elliot L 2020-05-13 16:09:01 CEST
Created attachment 11643 [details]
Fixed formatting

Attachment 11642 is obsolete: 0 => 1

Comment 6 Elliot L 2020-05-13 17:42:26 CEST
Created attachment 11644 [details]
Accidentally used commit as patch, my bad

Attachment 11643 is obsolete: 0 => 1

Comment 7 Shlomi Fish 2020-05-13 18:19:12 CEST
Thanks, Elliot! Patch applied, committed and submitted in coturn / r1583582 : http://pkgsubmit.mageia.org/

CC: (none) => shlomif

Comment 8 David Walser 2020-05-13 23:57:39 CEST
Nice to see this getting worked on.  A couple of minor nits, as it says here:
https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29

it should be %define subrel, not %global (although the latter seemed to work in this case, I think there are some subtle differences) and although it doesn't explicitly say it, the subrel definition should go *immediately* above the %mkrel call, just for consistency's sake, so if someone else updates the package later, they won't miss that there's a subrel already there.

You don't need to rebuild the package, but do please make those changes in SVN.

Then, going back to the URL above, the next step is to make an advisory and assign to QA.  I can help with this if need be.  Also note the other changes I'm making to the bug.

Version: Cauldron => 7
Status comment: Patches available from Fedora => (none)
Whiteboard: MGA7TOO => (none)

Comment 9 Elliot L 2020-05-16 16:00:24 CEST
Advisory:
========================

Updated coturn package in order to fix security vulnerability:

http_server.c: An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of
service.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XN2NK6FT7AMW5UIZNXDNHKEAYWAUMGSF/
========================

Updated packages in core/updates_testing:
========================
coturn-4.5.1.2-1.mga7.x86_64.rpm

from coturn-4.5.1.2-1.mga7.src.rpm
Comment 10 David Walser 2020-05-16 16:08:30 CEST
There were 2 CVEs fixed here, so they should both be in the advisory, and the updated package is actually coturn-4.5.0.7-2.3.mga7.
Comment 11 Elliot L 2020-05-16 16:29:38 CEST
Revised Advisory:
========================

Updated the coturn package in order to fix some security vulnerabilities:

http_server.c: An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability (CVE-2020-6061).

http_server.c An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability (CVE-2020-6062).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6061
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6062
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XN2NK6FT7AMW5UIZNXDNHKEAYWAUMGSF/

========================

Updated the package in core/updates_testing:
========================
coturn-4.5.0.7-2.3.mga7.x86_64.rpm

from coturn-4.5.0.7-2.3.mga7.src.rpm
David Walser 2020-05-16 16:31:07 CEST

Assignee: pterjan => qa-bugs

Comment 12 Herman Viaene 2020-05-17 14:55:00 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
No previous update or wiki, so experimenting. Found https://ourcodeworld.com/articles/read/1175/how-to-create-and-configure-your-own-stun-turn-server-with-coturn-in-ubuntu-18-04
and at CLI after installation:
# systemctl -l status turnserver
● turnserver.service - coturn
   Loaded: loaded (/usr/lib/systemd/system/turnserver.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:coturn(1)
           man:turnadmin(1)
           man:turnserver(1)

May 17 14:32:41 mach5.hviaene.thuis systemd[1]: /usr/lib/systemd/system/turnserver.service:10: PIDFile= references path be>

# systemctl start turnserver

# systemctl -l status turnserver
● turnserver.service - coturn
   Loaded: loaded (/usr/lib/systemd/system/turnserver.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2020-05-17 14:33:06 CEST; 3s ago
     Docs: man:coturn(1)
           man:turnadmin(1)
           man:turnserver(1)
  Process: 7691 ExecStart=/usr/bin/turnserver -o -c /etc/turnserver/turnserver.conf $EXTRA_OPTIONS (code=exited, status=0/>
 Main PID: 7861 (turnserver)
    Tasks: 9 (limit: 4915)
   Memory: 5.4M
   CGroup: /system.slice/turnserver.service
           └─7861 /usr/bin/turnserver -o -c /etc/turnserver/turnserver.conf

May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: turn server id=0 created
May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: IO method (general relay thread): epoll (with changelist)
May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: turn server id=3 created
May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: IO method (general relay thread): epoll (with changelist)
May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: turn server id=2 created
May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: Total General servers: 4
May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: IO method (auth thread): epoll (with changelist)
May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: IO method (admin thread): epoll (with changelist)
May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: IO method (auth thread): epoll (with changelist)
May 17 14:33:06 mach5.hviaene.thuis turnserver[7861]: 0: SQLite DB connection success: /var/db/turndb

Checked /etc/turnserver/turnserver.conf and found 3478 as default port.
Tested by trying acces from my desktop PC:
$ telnet mach5 3478
Trying 192.168.2.5
Connected to mach5.xxx.yyyy (192.168.2.5)

That's it for me, I will not object OK'ing if this is deemed to be enough as a test.

CC: (none) => herman.viaene

Comment 13 Thomas Andrews 2020-05-30 23:58:08 CEST
Since there's been no response for nearly two weeks, I'm going to assume that it is enough. If it isn't we'll soon know.

OKing and validating. Advisory in Comment 11.

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs


Note You need to log in before you can comment on or make changes to this bug.