Package: kamailio
Version: 4.2.0-1.1
Severity: important
Tags: security
The kamailio package now installs /etc/kamailio/kamailio-basic.cfg which
can be selected via the CFGFILE= setting in /etc/default/kamailio. The
configuration contains:
modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo")
This setting is insecure and may allow local users to elevate privileges
to the kamailio user.
The issue extends to kamailio-advanced.cfg. It seems that this is due to
an incomplete fix of #712083. Looking further, the state of /tmp file
vulnerabilities in kamailio looks worrisome. Most of the results of the
following command (to be executed in the kamailio source) are likely
vulnerable if executed:
grep '/tmp/[a-z0-9_.-]\+\(\$\$\)\?\([" ]\|$\)' -r .
Granted, some of the results are examples, documentation or obsolete.
But quite a few reach the default settings:
* kamcmd defaults to connecting to unixs:/tmp/kamailio_ctl.
* The kamailio build definitely is vulnerable as can be seen in
utils/kamctl/Makefile.
More research clearly is required here. Given these findings, the
security team may want to veto the inclusion of kamailio in a stable
release, which would be very unfortunate as kamailio is quite a unique
piece of software with little competitors in its field.
Helmut
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
