coturn: apply patch for CVE-2020-6061/6062

Fixes: CVE-2020-6061, CVE-2020-6062 An exploitable heap overflow vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability. An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability. (cherry picked from commit 704a018)
NixOS · Apr 29, 2020 · ac3ed15 · ac3ed15
1 parent a7ceb25
commit ac3ed15
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/pkgs/servers/coturn/default.nix b/pkgs/servers/coturn/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, openssl, libevent }:
+{ stdenv, fetchFromGitHub, fetchpatch, openssl, libevent }:
 
 stdenv.mkDerivation rec {
   pname = "coturn";
@@ -13,7 +13,14 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ openssl libevent ];
 
-  patches = [ ./pure-configure.patch ];
+  patches = [
+    ./pure-configure.patch
+    (fetchpatch {
+      name = "CVE-2020-6061+6062.patch";
+      url = "https://sources.debian.org/data/main/c/coturn/4.5.1.1-1.2/debian/patches/CVE-2020-6061+6062.patch";
+      sha256 = "0fcy1wp91bb4hlhnp96sf9bs0d9hf3pwx5f7b1r9cfvr3l5c1bk2";
+    })
+  ];
 
   meta = with stdenv.lib; {
     homepage = https://coturn.net/;