CVE-2020-6061: 
NixOS vulnerability analysis and mitigation

CVE-2020-6061 is a heap out-of-bounds read vulnerability discovered in CoTURN version 4.5.1.1, disclosed on February 19, 2020. The vulnerability exists in the way the CoTURN web server parses POST requests. CoTURN is a TURN (Traversal Using Relays around NAT) server implementation used as a VoIP media traffic NAT traversal server and gateway (Talos Report).

The vulnerability occurs during POST request body parsing where the code responsible for parsing contains a bug leading to out-of-bounds memory access. When preparing to parse the POST request body, while newline and carriage return characters are skipped to get to the start of POST data, the data pointer is incremented but the data_len isn't decremented. This results in bytes beyond the end of the original data buffer being accessed during the subsequent memcpy operation. The vulnerability has a CVSS v3 score of 7.0 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H) (Talos Report).

The vulnerability can lead to information leaks and other misbehavior. Depending on the memory layout, this could potentially result in further memory corruption, access to sensitive information from other requests, and other unforeseen consequences (Talos Report, Debian Advisory).

The vulnerability has been patched in multiple distributions: Ubuntu 20.04 LTS (4.5.1.1-1.1ubuntu0.20.04.1), Ubuntu 19.10 (4.5.1.1-1.1ubuntu0.19.10.1), Ubuntu 18.04 LTS (4.5.0.7-1ubuntu2.18.04.2), Ubuntu 16.04 LTS (4.5.0.3-1ubuntu0.3), Debian stretch (4.5.0.5-1+deb9u2), and Debian buster (4.5.1.1-1.1+deb10u1). Users are recommended to upgrade their coturn packages to these patched versions (Ubuntu Notice, Debian Advisory).