From 7ec561df978f62e858644bf46ba068bcd2de05adb7626e5ff6789323fcadbb68 Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Mon, 4 May 2020 13:08:12 +0000 Subject: [PATCH] Accepting request 800058 from home:weberho:branches:network:telephony - Version 4.5.1.2: - Extended Readme.SUSE with description on how to bind to ports below 1024 - Fixes and enhancements in service-file - /etc/sysconfig/coturn defaults now to not show software's version to the public OBS-URL: https://build.opensuse.org/request/show/800058 OBS-URL: https://build.opensuse.org/package/show/network:telephony/coturn?expand=0&rev=7 --- README.SUSE | 9 ++ coturn-4.5.1.0-append-log.patch | 53 ------------ coturn-4.5.1.1-cve-2020-6061.patch | 22 ----- coturn-4.5.1.1-cve-2020-6062.patch | 85 ------------------- ...sing-call-to-setgroups-before-setuid.patch | 22 ----- coturn-4.5.1.1.tar.gz | 3 - coturn-4.5.1.2.tar.gz | 3 + coturn.changes | 54 ++++++++++++ coturn.service | 5 +- coturn.spec | 20 ++--- coturn.sysconfig | 2 +- 11 files changed, 77 insertions(+), 201 deletions(-) delete mode 100644 coturn-4.5.1.0-append-log.patch delete mode 100644 coturn-4.5.1.1-cve-2020-6061.patch delete mode 100644 coturn-4.5.1.1-cve-2020-6062.patch delete mode 100644 coturn-4.5.1.1.missing-call-to-setgroups-before-setuid.patch delete mode 100644 coturn-4.5.1.1.tar.gz create mode 100644 coturn-4.5.1.2.tar.gz diff --git a/README.SUSE b/README.SUSE index 3c51d31..fca660c 100644 --- a/README.SUSE +++ b/README.SUSE @@ -6,3 +6,12 @@ To allow traffic going thru the firewall use ``` firewall-cmd --zone=public --add-service=coturn [--permanent] ``` + +* /etc/syconfig/coturn has the option '--no-software-attribute' enabled to hide + the software version for production issue. + +* The trunserveer can only be bound to a port belo 1024 if you add the + AmbientCapabilities=CAP_NET_BIND_SERVICE section to the service file. + + + diff --git a/coturn-4.5.1.0-append-log.patch b/coturn-4.5.1.0-append-log.patch deleted file mode 100644 index 113cca6..0000000 --- a/coturn-4.5.1.0-append-log.patch +++ /dev/null @@ -1,53 +0,0 @@ -https://github.com/coturn/coturn/issues/416 and https://github.com/coturn/coturn/pull/417 - -diff --git a/src/apps/common/ns_turn_utils.c b/src/apps/common/ns_turn_utils.c -index 2c656d7..0792085 100644 ---- a/src/apps/common/ns_turn_utils.c -+++ b/src/apps/common/ns_turn_utils.c -@@ -370,7 +370,7 @@ static void set_rtpfile(void) - no_stdout_log = 1; - } else { - set_log_file_name(log_fn_base,log_fn); -- _rtpfile = fopen(log_fn, "w"); -+ _rtpfile = fopen(log_fn, "a"); - if(_rtpfile) - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", log_fn); - } -@@ -397,32 +397,32 @@ static void set_rtpfile(void) - - set_log_file_name(logbase, logf); - -- _rtpfile = fopen(logf, "w"); -+ _rtpfile = fopen(logf, "a"); - if(_rtpfile) - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf); - else { - snprintf(logbase, FILE_STR_LEN, "/var/log/%s", logtail); - - set_log_file_name(logbase, logf); -- _rtpfile = fopen(logf, "w"); -+ _rtpfile = fopen(logf, "a"); - if(_rtpfile) - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf); - else { - snprintf(logbase, FILE_STR_LEN, "/var/tmp/%s", logtail); - set_log_file_name(logbase, logf); -- _rtpfile = fopen(logf, "w"); -+ _rtpfile = fopen(logf, "a"); - if(_rtpfile) - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf); - else { - snprintf(logbase, FILE_STR_LEN, "/tmp/%s", logtail); - set_log_file_name(logbase, logf); -- _rtpfile = fopen(logf, "w"); -+ _rtpfile = fopen(logf, "a"); - if(_rtpfile) - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf); - else { - snprintf(logbase, FILE_STR_LEN, "%s", logtail); - set_log_file_name(logbase, logf); -- _rtpfile = fopen(logf, "w"); -+ _rtpfile = fopen(logf, "a"); - if(_rtpfile) - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf); - else { diff --git a/coturn-4.5.1.1-cve-2020-6061.patch b/coturn-4.5.1.1-cve-2020-6061.patch deleted file mode 100644 index 9a6e542..0000000 --- a/coturn-4.5.1.1-cve-2020-6061.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 51a7c2b9bf924890c7a3ff4db9c4976c5a93340a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= -Date: Mon, 17 Feb 2020 10:34:56 +0100 -Subject: [PATCH] Fix: CVE-2020-6061/TALOS-2020-0984 - ---- - src/apps/relay/http_server.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/apps/relay/http_server.c b/src/apps/relay/http_server.c -index 573af49b..1126b49c 100644 ---- a/src/apps/relay/http_server.c -+++ b/src/apps/relay/http_server.c -@@ -103,7 +103,7 @@ const char* get_http_date_header() - - static struct headers_list * post_parse(char *data, size_t data_len) - { -- while((*data=='\r')||(*data=='\n')) ++data; -+ while((*data=='\r')||(*data=='\n')) { ++data; --data_len; } - char *post_data = (char*)calloc(data_len + 1, sizeof(char)); - memcpy(post_data, data, data_len); - char *fmarker = NULL; diff --git a/coturn-4.5.1.1-cve-2020-6062.patch b/coturn-4.5.1.1-cve-2020-6062.patch deleted file mode 100644 index 1bb7351..0000000 --- a/coturn-4.5.1.1-cve-2020-6062.patch +++ /dev/null @@ -1,85 +0,0 @@ -From e09bcd9f7af5b32c81b37f51835b384b5a7d03a8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= -Date: Tue, 18 Feb 2020 12:31:38 +0100 -Subject: [PATCH] Fix: CVE-2020-6062 / TALOS-2020-0985 - ---- - src/apps/relay/http_server.c | 63 ++++++++++++++++++++---------------- - 1 file changed, 36 insertions(+), 27 deletions(-) - -diff --git a/src/apps/relay/http_server.c b/src/apps/relay/http_server.c -index 1126b49c..ff8e3992 100644 ---- a/src/apps/relay/http_server.c -+++ b/src/apps/relay/http_server.c -@@ -104,35 +104,44 @@ const char* get_http_date_header() - static struct headers_list * post_parse(char *data, size_t data_len) - { - while((*data=='\r')||(*data=='\n')) { ++data; --data_len; } -- char *post_data = (char*)calloc(data_len + 1, sizeof(char)); -- memcpy(post_data, data, data_len); -- char *fmarker = NULL; -- char *fsplit = strtok_r(post_data, "&", &fmarker); -- struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list)); -- ns_bzero(list,sizeof(struct headers_list)); -- while (fsplit != NULL) { -- char *vmarker = NULL; -- char *key = strtok_r(fsplit, "=", &vmarker); -- char *value = strtok_r(NULL, "=", &vmarker); -- char empty[1]; -- empty[0]=0; -- value = value ? value : empty; -- value = evhttp_decode_uri(value); -- char *p = value; -- while (*p) { -- if (*p == '+') -- *p = ' '; -- p++; -+ if (data_len) { -+ char *post_data = (char*)calloc(data_len + 1, sizeof(char)); -+ if (post_data != NULL) { -+ memcpy(post_data, data, data_len); -+ char *fmarker = NULL; -+ char *fsplit = strtok_r(post_data, "&", &fmarker); -+ struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list)); -+ bzero(list,sizeof(struct headers_list)); -+ while (fsplit != NULL) { -+ char *vmarker = NULL; -+ char *key = strtok_r(fsplit, "=", &vmarker); -+ if (key == NULL) -+ break; -+ else { -+ char *value = strtok_r(NULL, "=", &vmarker); -+ char empty[1]; -+ empty[0]=0; -+ value = value ? value : empty; -+ value = evhttp_decode_uri(value); -+ char *p = value; -+ while (*p) { -+ if (*p == '+') -+ *p = ' '; -+ p++; -+ } -+ list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1)); -+ list->keys[list->n] = strdup(key); -+ list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1)); -+ list->values[list->n] = value; -+ ++(list->n); -+ fsplit = strtok_r(NULL, "&", &fmarker); -+ } -+ } -+ free(post_data); -+ return list; - } -- list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1)); -- list->keys[list->n] = strdup(key); -- list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1)); -- list->values[list->n] = value; -- ++(list->n); -- fsplit = strtok_r(NULL, "&", &fmarker); - } -- free(post_data); -- return list; -+ return NULL; - } - - static struct http_request* parse_http_request_1(struct http_request* ret, char* request, int parse_post) diff --git a/coturn-4.5.1.1.missing-call-to-setgroups-before-setuid.patch b/coturn-4.5.1.1.missing-call-to-setgroups-before-setuid.patch deleted file mode 100644 index 1c7e457..0000000 --- a/coturn-4.5.1.1.missing-call-to-setgroups-before-setuid.patch +++ /dev/null @@ -1,22 +0,0 @@ -From acbf7e15c9290e0891a6b6b5ce6e81bbaa77ce5a Mon Sep 17 00:00:00 2001 -From: Johannes Weberhofer -Date: Sat, 11 Apr 2020 10:33:55 +0200 -Subject: [PATCH] Drop of supplementary group IDs - -Fix related to POS36-C and rpmlint error "missing-call-to-setgroups-before-setuid". ---- - src/apps/relay/mainrelay.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c -index 6710da6d..5a21cfaa 100644 ---- a/src/apps/relay/mainrelay.c -+++ b/src/apps/relay/mainrelay.c -@@ -2061,6 +2061,7 @@ static void set_network_engine(void) - - static void drop_privileges(void) - { -+ setgroups(0, NULL); - if(procgroupid_set) { - if(getgid() != procgroupid) { - if (setgid(procgroupid) != 0) { diff --git a/coturn-4.5.1.1.tar.gz b/coturn-4.5.1.1.tar.gz deleted file mode 100644 index 83febdf..0000000 --- a/coturn-4.5.1.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8eabe4c241ad9a74655d8516c69b1fa3275e020e7f7fca50a6cb822809e7c220 -size 420069 diff --git a/coturn-4.5.1.2.tar.gz b/coturn-4.5.1.2.tar.gz new file mode 100644 index 0000000..07cdc5b --- /dev/null +++ b/coturn-4.5.1.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a1ab5fb6a97c1fdd509f6301c5e706f422475a7086657c0c56e2b27cbe01932c +size 436487 diff --git a/coturn.changes b/coturn.changes index 9b64ccc..02a4d16 100644 --- a/coturn.changes +++ b/coturn.changes @@ -1,3 +1,57 @@ +------------------------------------------------------------------- +Mon May 4 12:58:39 UTC 2020 - Johannes Weberhofer + +- Extended Readme.SUSE with description on how to bind to ports below 1024 +- Fixes and enhancements in service-file +- /etc/sysconfig/coturn defaults now to not show software's version to the public + +- Version 4.5.1.2: + * Do not display empty CLI passwd alert if CLI is not enabled + * Removed several functions: gh#coturn/coturn#359 + * Fix webadmin IP permission and possible SQL-injections: gh#coturn/coturn#386 + * Fix Mongo driver crash on invalid connection string: gh#coturn/coturn#390 + * enhanced fread return length check: gh#coturn/coturn#392 + * disconnect database gracefully: #367 + * Using SSL_get_version method for BoringSSL compatibility: + turn_session_info->tls_method returns real TLS version: + gh#coturn/coturn#382 + * Added systemd service example: gh#coturn/coturn#276 + * Add bandwidth usage reporting packet/bandwidth usage by peers: + gh#coturn/coturn#284 + * Modifying configure to enable compile with private libraries: + gh#coturn/coturn#381 + * Append to log files rather than overriding them: gh#coturn/coturn#417 + * Updated incorrect string length check for 'ssh': gh#coturn/coturn#442 + * Fix Dockerfile for latest Debian: gh#coturn/coturn#449 + * CVE-2020-6061, CVE-2020-6062: specially crafted HTTP POST request can lead + to heap overflow which can result in information leak: + gh#coturn/coturn#489 + * STUN input validation: gh#coturn/coturn#472 + * Allow MD5 in FIPS mode: gh#coturn/coturn#398 + * update travis config ubuntu/mac images + * added null check for second char: gh#coturn/coturn#466 + * compiler warning fixes: gh#coturn/coturn#470 + * Fix a memory leak when an SHATYPE isn't supported: gh#coturn/coturn#471 + * fix compiler warning comparison between signed and unsigned integer expressions + * fix compiler warning string truncation + * change Diffie Hellman default key length from 1066 to 2066 + * drop of supplementary group IDs: gh#coturn/coturn#522 + * Unify spelling of Coturn: gh#coturn/coturn#514 + * Rename "prod" config option to "no-software-attribute": gh#coturn/coturn#506 + gh#coturn/coturn#478 + * change sql data dir in docker-compose-all.yml: gh#coturn/coturn#516 + * add flags to disable periodic use of dynamic tables: gh#coturn/coturn#525 + + * fix typos and grammar: gh#coturn/coturn#463, gh#coturn/coturn#488 + * Update README.docker: gh#coturn/coturn#475 + * fix config extension in README.docker: gh#coturn/coturn#519 + * Code beautifications: gh#coturn/coturn#327, gh#coturn/coturn#455, + gh#coturn/coturn#513 + +- Removed patches now included in upstream: coturn-4.5.1.0-append-log.patch, + coturn-4.5.1.1-cve-2020-6061.patch, coturn-4.5.1.1-cve-2020-6062 and + coturn-4.5.1.1.missing-call-to-setgroups-before-setuid.patch + ------------------------------------------------------------------- Tue Apr 14 18:38:59 UTC 2020 - lars@linux-schulserver.de diff --git a/coturn.service b/coturn.service index 7ceea63..100f2c0 100644 --- a/coturn.service +++ b/coturn.service @@ -7,12 +7,15 @@ After=syslog.target network.target User=coturn Group=coturn Type=forking -EnvironmentFile=-/etc/sysconfig/turnserver +EnvironmentFile=-/etc/sysconfig/coturn PIDFile=/run/coturn/turnserver.pid ExecStart=/usr/bin/turnserver -o -c /etc/coturn/turnserver.conf --pidfile /run/coturn/turnserver.pid $EXTRA_OPTIONS Restart=on-abort ExecReload=/bin/kill -HUP $MAINPID +# enable next line to make coturn able to bind to a port below 1024 +#AmbientCapabilities=CAP_NET_BIND_SERVICE + LimitCORE=infinity LimitNOFILE=999999 LimitNPROC=60000 diff --git a/coturn.spec b/coturn.spec index 29fe5bc..d45efad 100644 --- a/coturn.spec +++ b/coturn.spec @@ -17,14 +17,14 @@ %global _lto_cflags %{?_lto_cflags} -ffat-lto-objects -%bcond_without apparmor %if 0%{?suse_version} > 1320 %bcond_without apparmor_reload %else %bcond_with apparmor_reload %endif +%bcond_without apparmor Name: coturn -Version: 4.5.1.1 +Version: 4.5.1.2 Release: 0 Summary: TURN and STUN server for VoIP License: BSD-3-Clause @@ -39,14 +39,6 @@ Source5: %{name}.sysconfig Source6: %{name}.firewalld Source7: README.SUSE Source8: %{name}-apparmor-usr.bin.turnserver -# PATCH-FIX-UPSTREAM coturn-4.5.1.0-append-log.patch Append only to log files rather to override them -Patch0: coturn-4.5.1.0-append-log.patch -# PATCH-FIX-UPSTREAM coturn-4.5.1.1-cve-2020-6061.patch CVE-2020-6061 -Patch1: coturn-4.5.1.1-cve-2020-6061.patch -# PATCH-FIX-UPSTREAM coturn-4.5.1.1-cve-2020-6062.patch CVE-2020-6062 -Patch2: coturn-4.5.1.1-cve-2020-6062.patch -# PATCH-FIX-UPSTREAM coturn-4.5.1.1.missing-call-to-setgroups-before-setuid.patch fix rpmlint error -Patch3: coturn-4.5.1.1.missing-call-to-setgroups-before-setuid.patch BuildRequires: fdupes BuildRequires: firewall-macros BuildRequires: libevent-devel >= 2.0.0 @@ -59,6 +51,10 @@ BuildRequires: pkgconfig(libpq) BuildRequires: pkgconfig(libssl) >= 1.0.2 BuildRequires: pkgconfig(sqlite3) BuildRequires: pkgconfig(systemd) +Requires(pre): %fillup_prereq +Requires(pre): shadow +Recommends: logrotate +%sysusers_requires %if %{with apparmor} %if 0%{?suse_version} <= 1315 BuildRequires: apparmor-profiles @@ -71,10 +67,6 @@ Recommends: apparmor-abstractions BuildRequires: apparmor-rpm-macros %endif %endif -Requires(pre): %fillup_prereq -Requires(pre): shadow -Recommends: logrotate -%sysusers_requires %description STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relays diff --git a/coturn.sysconfig b/coturn.sysconfig index 806f213..f384c84 100644 --- a/coturn.sysconfig +++ b/coturn.sysconfig @@ -5,4 +5,4 @@ # # TURN Server startup options # -EXTRA_OPTIONS="" +EXTRA_OPTIONS="--no-software-attribute"