Accepting request 800058 from home:weberho:branches:network:telephony

- Version 4.5.1.2:
- Extended Readme.SUSE with description on how to bind to ports below 1024
- Fixes and enhancements in service-file
- /etc/sysconfig/coturn defaults now to not show software's version to the public

OBS-URL: https://build.opensuse.org/request/show/800058
OBS-URL: https://build.opensuse.org/package/show/network:telephony/coturn?expand=0&rev=7

README.SUSE

@@ -6,3 +6,12 @@ To allow traffic going thru the firewall use
 ```
 firewall-cmd --zone=public --add-service=coturn [--permanent]
 ```
+
+* /etc/syconfig/coturn has the option '--no-software-attribute' enabled to hide 
+  the software version for production issue.
+
+* The trunserveer can only be bound to a port belo 1024 if you add the
+  AmbientCapabilities=CAP_NET_BIND_SERVICE section to the service file.
+
+
+

coturn-4.5.1.0-append-log.patch

@@ -1,53 +0,0 @@
-https://github.com/coturn/coturn/issues/416 and https://github.com/coturn/coturn/pull/417
-
-diff --git a/src/apps/common/ns_turn_utils.c b/src/apps/common/ns_turn_utils.c
-index 2c656d7..0792085 100644
---- a/src/apps/common/ns_turn_utils.c
-+++ b/src/apps/common/ns_turn_utils.c
-@@ -370,7 +370,7 @@ static void set_rtpfile(void)
- 				no_stdout_log = 1;
- 			} else {
- 				set_log_file_name(log_fn_base,log_fn);
--				_rtpfile = fopen(log_fn, "w");
-+				_rtpfile = fopen(log_fn, "a");
- 				if(_rtpfile)
- 					TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", log_fn);
- 			}
-@@ -397,32 +397,32 @@ static void set_rtpfile(void)
- 
- 		set_log_file_name(logbase, logf);
- 
--		_rtpfile = fopen(logf, "w");
-+		_rtpfile = fopen(logf, "a");
- 		if(_rtpfile)
- 			TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf);
- 		else {
- 			snprintf(logbase, FILE_STR_LEN, "/var/log/%s", logtail);
- 
- 			set_log_file_name(logbase, logf);
--			_rtpfile = fopen(logf, "w");
-+			_rtpfile = fopen(logf, "a");
- 			if(_rtpfile)
- 				TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf);
- 			else {
- 				snprintf(logbase, FILE_STR_LEN, "/var/tmp/%s", logtail);
- 				set_log_file_name(logbase, logf);
--				_rtpfile = fopen(logf, "w");
-+				_rtpfile = fopen(logf, "a");
- 				if(_rtpfile)
- 					TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf);
- 				else {
- 					snprintf(logbase, FILE_STR_LEN, "/tmp/%s", logtail);
- 					set_log_file_name(logbase, logf);
--					_rtpfile = fopen(logf, "w");
-+					_rtpfile = fopen(logf, "a");
- 					if(_rtpfile)
- 						TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf);
- 					else {
- 						snprintf(logbase, FILE_STR_LEN, "%s", logtail);
- 						set_log_file_name(logbase, logf);
--						_rtpfile = fopen(logf, "w");
-+						_rtpfile = fopen(logf, "a");
- 						if(_rtpfile)
- 							TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf);
- 						else {

coturn-4.5.1.1-cve-2020-6061.patch

@@ -1,22 +0,0 @@
-From 51a7c2b9bf924890c7a3ff4db9c4976c5a93340a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= <misi@majd.eu>
-Date: Mon, 17 Feb 2020 10:34:56 +0100
-Subject: [PATCH] Fix: CVE-2020-6061/TALOS-2020-0984
-
----
- src/apps/relay/http_server.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/apps/relay/http_server.c b/src/apps/relay/http_server.c
-index 573af49b..1126b49c 100644
---- a/src/apps/relay/http_server.c
-+++ b/src/apps/relay/http_server.c
-@@ -103,7 +103,7 @@ const char* get_http_date_header()
- 
- static struct headers_list * post_parse(char *data, size_t data_len)
- {
--	while((*data=='\r')||(*data=='\n')) ++data;
-+	while((*data=='\r')||(*data=='\n')) { ++data; --data_len; }
- 	char *post_data = (char*)calloc(data_len + 1, sizeof(char));
- 	memcpy(post_data, data, data_len);
- 	char *fmarker = NULL;

coturn-4.5.1.1-cve-2020-6062.patch

@@ -1,85 +0,0 @@
-From e09bcd9f7af5b32c81b37f51835b384b5a7d03a8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= <misi@majd.eu>
-Date: Tue, 18 Feb 2020 12:31:38 +0100
-Subject: [PATCH] Fix: CVE-2020-6062 / TALOS-2020-0985
-
----
- src/apps/relay/http_server.c | 63 ++++++++++++++++++++----------------
- 1 file changed, 36 insertions(+), 27 deletions(-)
-
-diff --git a/src/apps/relay/http_server.c b/src/apps/relay/http_server.c
-index 1126b49c..ff8e3992 100644
---- a/src/apps/relay/http_server.c
-+++ b/src/apps/relay/http_server.c
-@@ -104,35 +104,44 @@ const char* get_http_date_header()
- static struct headers_list * post_parse(char *data, size_t data_len)
- {
- 	while((*data=='\r')||(*data=='\n')) { ++data; --data_len; }
--	char *post_data = (char*)calloc(data_len + 1, sizeof(char));
--	memcpy(post_data, data, data_len);
--	char *fmarker = NULL;
--	char *fsplit = strtok_r(post_data, "&", &fmarker);
--	struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list));
--	ns_bzero(list,sizeof(struct headers_list));
--	while (fsplit != NULL) {
--		char *vmarker = NULL;
--		char *key = strtok_r(fsplit, "=", &vmarker);
--		char *value = strtok_r(NULL, "=", &vmarker);
--		char empty[1];
--		empty[0]=0;
--		value = value ? value : empty;
--		value = evhttp_decode_uri(value);
--		char *p = value;
--		while (*p) {
--			if (*p == '+')
--				*p = ' ';
--			p++;
-+	if (data_len) {
-+		char *post_data = (char*)calloc(data_len + 1, sizeof(char));
-+		if (post_data != NULL) {
-+			memcpy(post_data, data, data_len);
-+			char *fmarker = NULL;
-+			char *fsplit = strtok_r(post_data, "&", &fmarker);
-+			struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list));
-+			bzero(list,sizeof(struct headers_list));
-+			while (fsplit != NULL) {
-+				char *vmarker = NULL;
-+				char *key = strtok_r(fsplit, "=", &vmarker);
-+				if (key == NULL)
-+					break;
-+				else {
-+					char *value = strtok_r(NULL, "=", &vmarker);
-+					char empty[1];
-+					empty[0]=0;
-+					value = value ? value : empty;
-+					value = evhttp_decode_uri(value);
-+					char *p = value;
-+					while (*p) {
-+						if (*p == '+')
-+							*p = ' ';
-+						p++;
-+					}
-+					list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1));
-+					list->keys[list->n] = strdup(key);
-+					list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1));
-+					list->values[list->n] = value;
-+					++(list->n);
-+					fsplit = strtok_r(NULL, "&", &fmarker);
-+				}
-+			}
-+			free(post_data);
-+			return list;
- 		}
--		list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1));
--		list->keys[list->n] = strdup(key);
--		list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1));
--		list->values[list->n] = value;
--		++(list->n);
--		fsplit = strtok_r(NULL, "&", &fmarker);
- 	}
--	free(post_data);
--	return list;
-+	return NULL;
- }
- 
- static struct http_request* parse_http_request_1(struct http_request* ret, char* request, int parse_post)

coturn-4.5.1.1.missing-call-to-setgroups-before-setuid.patch

@@ -1,22 +0,0 @@
-From acbf7e15c9290e0891a6b6b5ce6e81bbaa77ce5a Mon Sep 17 00:00:00 2001
-From: Johannes Weberhofer <jweberhofer@weberhofer.at>
-Date: Sat, 11 Apr 2020 10:33:55 +0200
-Subject: [PATCH] Drop of supplementary group IDs
-
-Fix related to POS36-C and rpmlint error "missing-call-to-setgroups-before-setuid".
----
- src/apps/relay/mainrelay.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c
-index 6710da6d..5a21cfaa 100644
---- a/src/apps/relay/mainrelay.c
-+++ b/src/apps/relay/mainrelay.c
-@@ -2061,6 +2061,7 @@ static void set_network_engine(void)
- 
- static void drop_privileges(void)
- {
-+	setgroups(0, NULL);
- 	if(procgroupid_set) {
- 		if(getgid() != procgroupid) {
- 			if (setgid(procgroupid) != 0) {

coturn-4.5.1.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8eabe4c241ad9a74655d8516c69b1fa3275e020e7f7fca50a6cb822809e7c220
-size 420069

coturn-4.5.1.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a1ab5fb6a97c1fdd509f6301c5e706f422475a7086657c0c56e2b27cbe01932c
+size 436487

coturn.changes

@@ -1,3 +1,57 @@
+-------------------------------------------------------------------
+Mon May  4 12:58:39 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Extended Readme.SUSE with description on how to bind to ports below 1024
+- Fixes and enhancements in service-file
+- /etc/sysconfig/coturn defaults now to not show software's version to the public
+
+- Version 4.5.1.2:
+  * Do not display empty CLI passwd alert if CLI is not enabled
+  * Removed several functions: gh#coturn/coturn#359
+  * Fix webadmin IP permission and possible SQL-injections: gh#coturn/coturn#386
+  * Fix Mongo driver crash on invalid connection string: gh#coturn/coturn#390
+  * enhanced fread return length check: gh#coturn/coturn#392
+  * disconnect database gracefully: #367
+  * Using SSL_get_version method for BoringSSL compatibility: 
+    turn_session_info->tls_method returns real TLS version:
+    gh#coturn/coturn#382
+  * Added systemd service example: gh#coturn/coturn#276
+  * Add bandwidth usage reporting packet/bandwidth usage by peers:
+    gh#coturn/coturn#284
+  * Modifying configure to enable compile with private libraries:
+    gh#coturn/coturn#381
+  * Append to log files rather than overriding them: gh#coturn/coturn#417
+  * Updated incorrect string length check for 'ssh': gh#coturn/coturn#442
+  * Fix Dockerfile for latest Debian: gh#coturn/coturn#449
+  * CVE-2020-6061, CVE-2020-6062: specially crafted HTTP POST request can lead
+    to heap overflow which can result in information leak:
+    gh#coturn/coturn#489
+  * STUN input validation: gh#coturn/coturn#472
+  * Allow MD5 in FIPS mode: gh#coturn/coturn#398
+  * update travis config ubuntu/mac images
+  * added null check for second char: gh#coturn/coturn#466
+  * compiler warning fixes: gh#coturn/coturn#470
+  * Fix a memory leak when an SHATYPE isn't supported: gh#coturn/coturn#471
+  * fix compiler warning comparison between signed and unsigned integer expressions
+  * fix compiler warning string truncation
+  * change Diffie Hellman default key length from 1066 to 2066
+  * drop of supplementary group IDs: gh#coturn/coturn#522
+  * Unify spelling of Coturn: gh#coturn/coturn#514
+  * Rename "prod" config option to "no-software-attribute": gh#coturn/coturn#506
+    gh#coturn/coturn#478
+  * change sql data dir in docker-compose-all.yml: gh#coturn/coturn#516
+  * add flags to disable periodic use of dynamic tables: gh#coturn/coturn#525
+
+  * fix typos and grammar: gh#coturn/coturn#463, gh#coturn/coturn#488
+  * Update README.docker: gh#coturn/coturn#475
+  * fix config extension in README.docker: gh#coturn/coturn#519
+  * Code beautifications: gh#coturn/coturn#327, gh#coturn/coturn#455,
+    gh#coturn/coturn#513
+
+- Removed patches now included in upstream: coturn-4.5.1.0-append-log.patch, 
+  coturn-4.5.1.1-cve-2020-6061.patch, coturn-4.5.1.1-cve-2020-6062 and 
+  coturn-4.5.1.1.missing-call-to-setgroups-before-setuid.patch
+
 -------------------------------------------------------------------
 Tue Apr 14 18:38:59 UTC 2020 - lars@linux-schulserver.de
 

coturn.service

@@ -7,12 +7,15 @@ After=syslog.target network.target
 User=coturn
 Group=coturn
 Type=forking
-EnvironmentFile=-/etc/sysconfig/turnserver
+EnvironmentFile=-/etc/sysconfig/coturn
 PIDFile=/run/coturn/turnserver.pid
 ExecStart=/usr/bin/turnserver -o -c /etc/coturn/turnserver.conf --pidfile /run/coturn/turnserver.pid $EXTRA_OPTIONS
 Restart=on-abort
 ExecReload=/bin/kill -HUP $MAINPID
 
+# enable next line to make coturn able to bind to a port below 1024
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+
 LimitCORE=infinity
 LimitNOFILE=999999
 LimitNPROC=60000

coturn.spec

@@ -17,14 +17,14 @@
 
 
 %global _lto_cflags %{?_lto_cflags} -ffat-lto-objects
-%bcond_without  apparmor
 %if 0%{?suse_version} > 1320
 %bcond_without  apparmor_reload
 %else
 %bcond_with     apparmor_reload
 %endif
+%bcond_without  apparmor
 Name:           coturn
-Version:        4.5.1.1
+Version:        4.5.1.2
 Release:        0
 Summary:        TURN and STUN server for VoIP
 License:        BSD-3-Clause
@@ -39,14 +39,6 @@ Source5:        %{name}.sysconfig
 Source6:        %{name}.firewalld
 Source7:        README.SUSE
 Source8:        %{name}-apparmor-usr.bin.turnserver
-# PATCH-FIX-UPSTREAM coturn-4.5.1.0-append-log.patch Append only to log files rather to override them
-Patch0:         coturn-4.5.1.0-append-log.patch
-# PATCH-FIX-UPSTREAM  coturn-4.5.1.1-cve-2020-6061.patch CVE-2020-6061
-Patch1:         coturn-4.5.1.1-cve-2020-6061.patch
-# PATCH-FIX-UPSTREAM  coturn-4.5.1.1-cve-2020-6062.patch CVE-2020-6062
-Patch2:         coturn-4.5.1.1-cve-2020-6062.patch
-# PATCH-FIX-UPSTREAM   coturn-4.5.1.1.missing-call-to-setgroups-before-setuid.patch fix rpmlint error
-Patch3:         coturn-4.5.1.1.missing-call-to-setgroups-before-setuid.patch
 BuildRequires:  fdupes
 BuildRequires:  firewall-macros
 BuildRequires:  libevent-devel >= 2.0.0
@@ -59,6 +51,10 @@ BuildRequires:  pkgconfig(libpq)
 BuildRequires:  pkgconfig(libssl) >= 1.0.2
 BuildRequires:  pkgconfig(sqlite3)
 BuildRequires:  pkgconfig(systemd)
+Requires(pre):  %fillup_prereq
+Requires(pre):  shadow
+Recommends:     logrotate
+%sysusers_requires
 %if %{with apparmor}
 %if 0%{?suse_version} <= 1315
 BuildRequires:  apparmor-profiles
@@ -71,10 +67,6 @@ Recommends:     apparmor-abstractions
 BuildRequires:  apparmor-rpm-macros
 %endif
 %endif
-Requires(pre):  %fillup_prereq
-Requires(pre):  shadow
-Recommends:     logrotate
-%sysusers_requires
 
 %description
 STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relays

coturn.sysconfig

@@ -5,4 +5,4 @@
 #
 # TURN Server startup options
 #
-EXTRA_OPTIONS=""
+EXTRA_OPTIONS="--no-software-attribute"