[From nobody Wed Jun 10 10:35:06 2026 Received: (at submit) by bugs.debian.org; 21 Apr 2026 23:01:02 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-16.1 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, DKIM_VALID_EF,FOURLA,HAS_PACKAGE,MD5_SHA1_SUM,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 28; hammy, 149; neutral, 31; spammy, 1. spammytokens:0.889-+--rates hammytokens:0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--trixie, 0.000-+--bookworm, 0.000-+--forky Return-path: <james_montgomery@disroot.org> Received: from layka.disroot.org ([178.21.23.139]:59234) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <james_montgomery@disroot.org>) id 1wFK5V-008S2f-1c for submit@bugs.debian.org; Tue, 21 Apr 2026 23:01:02 +0000 Received: from mail01.disroot.lan (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id B5DFB264BB for <submit@bugs.debian.org>; Wed, 22 Apr 2026 01:00:57 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from layka.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id fgCsDI8CZ8ON for <submit@bugs.debian.org>; Wed, 22 Apr 2026 01:00:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1776812456; bh=5JVUuFu1SgmYM+5TjHxaITklDxR/ty+T6fATtOWvHu8=; h=Date:From:To:Subject; b=P18pyvU8MMtHC5PTi/Gp/WjBxVvvuHE21uiaGX8V5hWfIZDfjbM/tu4wleiwKkADz PJHzX1fCX9mf/b8d6P03pI5CtkEesLmeK0GECkJo3aJzrrRV4MBvHU30ae3ZKfN/82 +vqtCzYiDEV9KeGEYUisTv3eiCXb2PU+JVXqx8qCZROy/WNrEbYtqPXarWUK3TeLbA ylRMNvXuAY/lB8qFeWReKRWECAa21elXJ3NpRApbmxvkJI3s0ApKGeeZkOncw8KFkH xreKhHU4k0fufvUUgoWZm7OJmwFHnFKkL6zPN9GhsLenb/LEgfBBscPArSqM/UDdeI ZnglmgHKHqbnw== Date: Tue, 21 Apr 2026 23:00:55 +0000 Message-ID: <4957adbee6870b6617a2dc9e2f57c032@disroot.org> From: James <james_montgomery@disroot.org> To: submit@bugs.debian.org Subject: coturn: CVE-2026-40613 remote DoS on ARM64 via misaligned STUN attribute parsing Delivered-To: submit@bugs.debian.org Package: src:coturn Version: 4.6.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: team@security.debian.org Hi, The security tracker currently lists coturn as unfixed for CVE-2026-40613: https://security-tracker.debian.org/tracker/CVE-2026-40613 Upstream advisory: https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36 The advisory describes a pre-authentication remote denial of service on ARM64/AArch64 systems. coturn's STUN/TURN attribute parsing performs unsafe casts from uint8_t * to uint16_t * without alignment checks. A crafted STUN packet with misaligned attributes can trigger a SIGBUS and terminate turnserver on strict-alignment architectures. The advisory rates this as high severity, CVSS 7.5, and lists patched version 4.10.0. Debian currently has: bullseye: 4.5.2-3 bookworm: 4.6.1-1 trixie/forky/sid: 4.6.1-2 I checked the current sid source, 4.6.1-2. The vulnerable unsafe casts are present in src/client/ns_turn_msg.c, including: stun_attr_get_len: return (int)(nswap16(((const uint16_t*)attr)[1])); stun_attr_get_value: int len = (int)(nswap16(((const uint16_t*)attr)[1])); stun_get_requested_address_family: int len = (int) (nswap16(((const uint16_t*)attr)[1])); Upstream changed this code to use memcpy instead of direct uint16_t pointer dereferences: https://github.com/coturn/coturn/commit/eaa9e7920e98cd10d24ade07f474ddb4e05dc1ea Regards, James ]