From 704a018aaea16e044c1adf33accce6be2884911d Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 29 Apr 2020 01:11:43 +0200 Subject: [PATCH] coturn: apply patch for CVE-2020-6061/6062 Fixes: CVE-2020-6061, CVE-2020-6062 An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability. An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability. --- pkgs/servers/coturn/default.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/coturn/default.nix b/pkgs/servers/coturn/default.nix index 24dc256ba69f..51502c3fd97f 100644 --- a/pkgs/servers/coturn/default.nix +++ b/pkgs/servers/coturn/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, openssl, libevent }: +{ stdenv, fetchFromGitHub, fetchpatch, openssl, libevent }: stdenv.mkDerivation rec { pname = "coturn"; @@ -13,7 +13,14 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libevent ]; - patches = [ ./pure-configure.patch ]; + patches = [ + ./pure-configure.patch + (fetchpatch { + name = "CVE-2020-6061+6062.patch"; + url = "https://sources.debian.org/data/main/c/coturn/4.5.1.1-1.2/debian/patches/CVE-2020-6061+6062.patch"; + sha256 = "0fcy1wp91bb4hlhnp96sf9bs0d9hf3pwx5f7b1r9cfvr3l5c1bk2"; + }) + ]; meta = with stdenv.lib; { homepage = "https://coturn.net/";