coturn: apply patch for CVE-2020-6061/6062

Fixes: CVE-2020-6061, CVE-2020-6062

An exploitable heap overflow vulnerability exists in the way CoTURN
4.5.1.1 web server parses POST requests. A specially crafted HTTP
POST request can lead to information leaks and other misbehavior.
An attacker needs to send an HTTPS request to trigger this vulnerability.

An exploitable denial-of-service vulnerability exists in the way
CoTURN 4.5.1.1 web server parses POST requests. A specially crafted
HTTP POST request can lead to server crash and denial of service.
An attacker needs to send an HTTP request to trigger this vulnerability.
This commit is contained in:
Martin Weinelt 2020-04-29 01:11:43 +02:00
parent a8b60a8567
commit 704a018aae
No known key found for this signature in database
GPG Key ID: BD4AA0528F63F17E

View File

@ -1,4 +1,4 @@
{ stdenv, fetchFromGitHub, openssl, libevent }: { stdenv, fetchFromGitHub, fetchpatch, openssl, libevent }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "coturn"; pname = "coturn";
@ -13,7 +13,14 @@ stdenv.mkDerivation rec {
buildInputs = [ openssl libevent ]; buildInputs = [ openssl libevent ];
patches = [ ./pure-configure.patch ]; patches = [
./pure-configure.patch
(fetchpatch {
name = "CVE-2020-6061+6062.patch";
url = "https://sources.debian.org/data/main/c/coturn/4.5.1.1-1.2/debian/patches/CVE-2020-6061+6062.patch";
sha256 = "0fcy1wp91bb4hlhnp96sf9bs0d9hf3pwx5f7b1r9cfvr3l5c1bk2";
})
];
meta = with stdenv.lib; { meta = with stdenv.lib; {
homepage = "https://coturn.net/"; homepage = "https://coturn.net/";