Re: kamailio: multiple /tmp file vulnerabilities

[cve-assign () mitre org]

> There are multiple /tmp file vulnerabilities to be found in the kamailio
> SIP proxy. While many of these issues only affect configuration examples
> or outdated components, some do affect the default configuration.
>
> Initial disclosures:
> http://bugs.debian.org/712083 (2013)
> http://bugs.debian.org/775681 (2015)
> Upstream issue:
> https://github.com/kamailio/kamailio/issues/48
>
> At this point, three issues are well understood:
> * The kamctl administrative utility and default configuration would use
>   /tmp/kamailio_fifo (#712083, 2013, fixed in Debian's kamailio
>   4.0.2-1).

Use CVE-2013-7426.

> * The kamcmd administrative utility and default configuration would use
>   /tmp/kamailio_ctl (#775681, 2015, patch available).

Use CVE-2015-1590.

> * The kamailio build process would use constant filenames in /tmp
>   allowing to elevate privileges to the build user (#775681, 2015,
>   patch available).

Use CVE-2015-1591.

> The combined patch can be found at:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=0001-fix-fifo-and-ctl-defaults-pointing-to-unsecure-tmp-d.patch;att=1;bug=775681
>
> While the last issue definitely affects the upstream kamailio build,
> arguably the first two issues are packaging specific. If they are
> treated as such, it is worth noting that kamailio was never part of a
> Debian stable release and thus this may not be worth issuing a CVE.
>
> I would like to thank Victor Seva for his timely responses, kind
> interaction and providing patches for all of these issues.
>
> Helmut

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]