From ac3ed151f32f70060a3bd1208df9b09dfde1a7f7 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 29 Apr 2020 01:11:43 +0200 Subject: [PATCH] coturn: apply patch for CVE-2020-6061/6062 Fixes: CVE-2020-6061, CVE-2020-6062 An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability. An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability. (cherry picked from commit 704a018aaea16e044c1adf33accce6be2884911d) --- pkgs/servers/coturn/default.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/coturn/default.nix b/pkgs/servers/coturn/default.nix index 2fbd0bbfb3da58..7604291771c23b 100644 --- a/pkgs/servers/coturn/default.nix +++ b/pkgs/servers/coturn/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, openssl, libevent }: +{ stdenv, fetchFromGitHub, fetchpatch, openssl, libevent }: stdenv.mkDerivation rec { pname = "coturn"; @@ -13,7 +13,14 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libevent ]; - patches = [ ./pure-configure.patch ]; + patches = [ + ./pure-configure.patch + (fetchpatch { + name = "CVE-2020-6061+6062.patch"; + url = "https://sources.debian.org/data/main/c/coturn/4.5.1.1-1.2/debian/patches/CVE-2020-6061+6062.patch"; + sha256 = "0fcy1wp91bb4hlhnp96sf9bs0d9hf3pwx5f7b1r9cfvr3l5c1bk2"; + }) + ]; meta = with stdenv.lib; { homepage = https://coturn.net/;