Version in base suite: 4.5.1.1-1.1+deb10u1

Base version: coturn_4.5.1.1-1.1+deb10u1
Target version: coturn_4.5.1.1-1.1+deb10u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/coturn/coturn_4.5.1.1-1.1+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/coturn/coturn_4.5.1.1-1.1+deb10u2.dsc

 changelog                                        |    8 ++
 patches/Fix-CVE-2020-26262-Enable-Security.patch |   83 +++++++++++++++++++++++
 patches/series                                   |    1 
 3 files changed, 92 insertions(+)

diff -Nru coturn-4.5.1.1/debian/changelog coturn-4.5.1.1/debian/changelog
--- coturn-4.5.1.1/debian/changelog	2020-06-26 08:49:56.000000000 +0000
+++ coturn-4.5.1.1/debian/changelog	2020-12-15 16:23:34.000000000 +0000
@@ -1,3 +1,11 @@
+coturn (4.5.1.1-1.1+deb10u2) buster-security; urgency=high
+
+  * [c750a89] Fix-CVE-2020-26262-Enable-Security
+    - Fix ipv6 ::1 loopback check
+    - Not allow allocate peer address 0.0.0.0/8 and ::/128
+
+ -- Mészáros Mihály <misi@majd.eu>  Tue, 15 Dec 2020 17:23:34 +0100
+
 coturn (4.5.1.1-1.1+deb10u1) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru coturn-4.5.1.1/debian/patches/Fix-CVE-2020-26262-Enable-Security.patch coturn-4.5.1.1/debian/patches/Fix-CVE-2020-26262-Enable-Security.patch
--- coturn-4.5.1.1/debian/patches/Fix-CVE-2020-26262-Enable-Security.patch	1970-01-01 00:00:00.000000000 +0000
+++ coturn-4.5.1.1/debian/patches/Fix-CVE-2020-26262-Enable-Security.patch	2020-12-15 16:23:34.000000000 +0000
@@ -0,0 +1,83 @@
+From: Sandro Gauci <sandro@enablesecurity.com>
+Date: Mon, 30 Nov 2020 14:02:35 +0100
+Subject: Fix-CVE-2020-26262-Enable-Security
+
+---
+ src/client/ns_turn_ioaddr.c | 29 +++++++++++++++++++++++++++--
+ src/client/ns_turn_ioaddr.h |  1 +
+ src/server/ns_turn_server.c |  2 ++
+ 3 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/src/client/ns_turn_ioaddr.c b/src/client/ns_turn_ioaddr.c
+index b4948a0..a401773 100644
+--- a/src/client/ns_turn_ioaddr.c
++++ b/src/client/ns_turn_ioaddr.c
+@@ -483,9 +483,9 @@ int ioa_addr_is_loopback(ioa_addr *addr)
+ 			return (u[0] == 127);
+ 		} else if(addr->ss.sa_family == AF_INET6) {
+ 			const u08bits *u = ((const u08bits*)&(addr->s6.sin6_addr));
+-			if(u[7] == 1) {
++			if(u[15] == 1) {
+ 				int i;
+-				for(i=0;i<7;++i) {
++				for(i=0;i<15;++i) {
+ 					if(u[i])
+ 						return 0;
+ 				}
+@@ -496,6 +496,31 @@ int ioa_addr_is_loopback(ioa_addr *addr)
+ 	return 0;
+ }
+ 
++/*
++To avoid a vulnerability this function checks whether the addr is in 0.0.0.0/8 or ::/128.
++Source from (INADDR_ANY) 0.0.0.0/32 and (in6addr_any) ::/128 routed to loopback on Linux systems for old BSD backward compatibility.
++https://github.com/torvalds/linux/blob/a2f5ea9e314ba6778f885c805c921e9362ec0420/net/ipv6/tcp_ipv6.c#L182
++To avoid any trouble we match the whole 0.0.0.0/8 that defined in RFC6890 as local network "this".
++*/
++int ioa_addr_is_zero(ioa_addr *addr)
++{
++	if(addr) {
++		if(addr->ss.sa_family == AF_INET) {
++			const uint8_t *u = ((const uint8_t*)&(addr->s4.sin_addr));
++			return (u[0] == 0);
++		} else if(addr->ss.sa_family == AF_INET6) {
++			const uint8_t *u = ((const uint8_t*)&(addr->s6.sin6_addr));
++			int i;
++			for(i=0;i<=15;++i) {
++				if(u[i])
++					return 0;
++			}
++			return 1;
++		}
++	}
++	return 0;
++}
++
+ /////// Map "public" address to "private" address //////////////
+ 
+ // Must be called only in a single-threaded context,
+diff --git a/src/client/ns_turn_ioaddr.h b/src/client/ns_turn_ioaddr.h
+index 29c8e08..fbfac49 100644
+--- a/src/client/ns_turn_ioaddr.h
++++ b/src/client/ns_turn_ioaddr.h
+@@ -89,6 +89,7 @@ void ioa_addr_range_cpy(ioa_addr_range* dest, const ioa_addr_range* src);
+ 
+ int ioa_addr_is_multicast(ioa_addr *a);
+ int ioa_addr_is_loopback(ioa_addr *addr);
++int ioa_addr_is_zero(ioa_addr *addr);
+ 
+ /////// Map "public" address to "private" address //////////////
+ 
+diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c
+index 5790b7f..425f4a6 100644
+--- a/src/server/ns_turn_server.c
++++ b/src/server/ns_turn_server.c
+@@ -273,6 +273,8 @@ static int good_peer_addr(turn_turnserver *server, const char* realm, ioa_addr *
+ 			return 0;
+ 		if( !*(server->allow_loopback_peers) && ioa_addr_is_loopback(peer_addr))
+ 			return 0;
++		if (ioa_addr_is_zero(peer_addr))
++			return 0;
+ 
+ 		{
+ 			int i;
diff -Nru coturn-4.5.1.1/debian/patches/series coturn-4.5.1.1/debian/patches/series
--- coturn-4.5.1.1/debian/patches/series	2020-06-26 08:49:56.000000000 +0000
+++ coturn-4.5.1.1/debian/patches/series	2020-12-15 16:23:34.000000000 +0000
@@ -2,3 +2,4 @@
 Fix-CVE-2020-6061-TALOS-2020-0984.patch
 Fix-CVE-2020-6062-TALOS-2020-0985.patch
 init-with-zero-any-new-or-reused-stun-buffers.patch
+Fix-CVE-2020-26262-Enable-Security.patch