Package: src:coturn Version: 4.6.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected]
Hi, The security tracker currently lists coturn as unfixed for CVE-2026-40613: https://security-tracker.debian.org/tracker/CVE-2026-40613 Upstream advisory: https://github.com/coturn/coturn/security/advisories/GHSA-j662-9wcj-mf36 The advisory describes a pre-authentication remote denial of service on ARM64/AArch64 systems. coturn's STUN/TURN attribute parsing performs unsafe casts from uint8_t * to uint16_t * without alignment checks. A crafted STUN packet with misaligned attributes can trigger a SIGBUS and terminate turnserver on strict-alignment architectures. The advisory rates this as high severity, CVSS 7.5, and lists patched version 4.10.0. Debian currently has: bullseye: 4.5.2-3 bookworm: 4.6.1-1 trixie/forky/sid: 4.6.1-2 I checked the current sid source, 4.6.1-2. The vulnerable unsafe casts are present in src/client/ns_turn_msg.c, including: stun_attr_get_len: return (int)(nswap16(((const uint16_t*)attr)[1])); stun_attr_get_value: int len = (int)(nswap16(((const uint16_t*)attr)[1])); stun_get_requested_address_family: int len = (int) (nswap16(((const uint16_t*)attr)[1])); Upstream changed this code to use memcpy instead of direct uint16_t pointer dereferences: https://github.com/coturn/coturn/commit/eaa9e7920e98cd10d24ade07f474ddb4e05dc1ea Regards, James
