Bug#775681: multiple /tmp file vulnerabilities

Helmut Grohne helmut at subdivi.de
Sun Jan 25 20:52:45 UTC 2015 

Control: severity -1 serious

Hi Victor,

Thank you very much for investing your time in addressing these issues!

On Sat, Jan 24, 2015 at 02:30:37PM +0100, Victor Seva wrote:
> On 01/18/2015 05:16 PM, Helmut Grohne wrote:
> > Granted, some of the results are examples, documentation or obsolete.
> > But quite a few reach the default settings:
> > 
> >  * kamcmd defaults to connecting to unixs:/tmp/kamailio_ctl.
> 
> - added default_ctl.patch.
>   ctl defaults to /var/run/kamailio/kamailio_ctl.
>   add ctl binrpc module parameter to etc/kamailio/kamailio*cfg
>   to point this change.
> 
> 
> >  * The kamailio build definitely is vulnerable as can be seen in
> >    utils/kamctl/Makefile.
> 
> - kamctl_build.patch.
>   use basedir instead of /tmp

All of these fixes are appropriate for a Debian Security Advisory. Thus
they should also be appropriate for a freeze unblock. Please file a pre
approval unblock bug.

In particular, I am raising the severity of this bug to serious, because
 1) the build process is definitely exploitable,
 2) there is a patch, and
 3) we have fixed similar issues via DSAs earlier.
    (examples: DSA-2945-1, DSA-2649-1, DSA-2435-1)

> > More research clearly is required here.  Given these findings, the
> > security team may want to veto the inclusion of kamailio in a stable
> > release, which would be very unfortunate as kamailio is quite a unique
> > piece of software with little competitors in its field.
> 
> From my POW this is a matter of configuration. Kamailio has a complex
> configuration,
> and my changes will try to have proper default configs in /etc/kamailio
> *examples*.

Yes, many of these instances are configuration examples and users should
use them with care. Yet, we should try to make these examples as safe as
possible and in particular, we should make the default configuration
safe.

> Helmut, do you agree with this proposed changes to deal with your findings?

I am not sure that your patches indeed do make the default configuration
safe wrt /tmp usage, but they definitely go a long way in the right
direction and I cannot point to particular issues they miss without
taking a much more detailed look.

Please proceed!

> PD: I will document on README.Debian any final changes on the kamailio
> defaults

I think that having your patches in jessie would be very good, because
then we don't have to change ctl paths in a DSA later when a working
exploit is discovered.

Big thanks!

Helmut

More information about the Pkg-voip-maintainers mailing list