Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 490670 (CVE-2013-4509) - app-i18n/ibus : visible password entry flaw (CVE-2013-4509)
Summary: app-i18n/ibus : visible password entry flaw (CVE-2013-4509)
Status: RESOLVED FIXED
Alias: CVE-2013-4509
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-07 08:35 UTC by Agostino Sarubbo
Modified: 2015-08-14 01:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-11-07 08:35:50 UTC 
It was reported [1] that IBUS 1.5.4 (and possibly 1.5.2) do not properly obscure password entry if a special "intent" is not provided.

A fix in ibus-anthy [2] illustrates what is necessary to provide the input purpose for the gnome-shell password dialog.  A similar patch exists for ibus-mozc [3].

The SUSE bug report notes the following engines are affected:

* ibus-mozc
* ibus-anthy (upstream 1.5.4 is fixed; in current Fedora)
* ibus-pinyin
* ibus-chewing

The vulnerability is in these engines due to the changes in IBUS, so it only affects these engines when IBUS >= 1.5.4 (or 1.5.2, it hasn't been determine precisely from what I can see) and GNOME 3.6+ are used together.

[1] https://bugzilla.novell.com/show_bug.cgi?id=847718
[2] https://github.com/ibus/ibus-anthy/commit/6aae0a9f145f536515e268dd6b25aa740a5edfe7
[3] https://code.google.com/p/mozc/issues/attachmentText?id=199&aid=1990002000&name=ibus-mozc_support_ibus-1.5.4_rev2.diff&token=P62umpXGXx68XJT6zyvBA727wqE%3A1383693105690
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-12-09 06:18:47 UTC 
CVE-2013-4509 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4509):
  The default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlier,
  when IBus.InputPurpose.PASSWORD is not set and used with GNOME 3, does not
  obscure the entered password characters, which allows physically proximate
  attackers to obtain a user password by reading the lockscreen.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2013-12-15 22:17:26 UTC 
Patch available:
https://bugzilla.redhat.com/show_bug.cgi?id=1027028
Comment 3 Naohiro Aota gentoo-dev 2013-12-25 03:46:36 UTC 
* ibus-anthy: bumped to 1.5.4
* ibus-mozc: applied a patch
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2013-12-26 14:31:34 UTC 
Fixed Versions List so we can keep track easily:

* ibus-mozc - Fixed in mozc-1.10.1390.102-r1 (No stable versions / no need to stable)

* ibus-anthy - Fixed in ibus-anthy-1.5.4 (No stable versions for 1.5 tree / no need to stable)

* ibus-pinyin - Pending

* ibus-chewing - Pending
Comment 5 Naohiro Aota gentoo-dev 2013-12-30 08:21:07 UTC 
(In reply to Yury German from comment #4)
> * ibus-pinyin - Pending
> 
> * ibus-chewing - Pending

Upstream patch applied for these: ibus-pinyin-1.4.0 and ibus-chewing-1.4.3-r1.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-01-04 07:02:13 UTC 
Thank you for update

Maintainer(s), please drop the vulnerable version(s) of all 4 packages listed.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-01-04 07:03:39 UTC 
No stable versions, for the trees specified noglsa needed.
Comment 8 Chris Reffett (RETIRED) gentoo-dev Security 2014-06-19 12:34:03 UTC 
@mainainers: ping, cleanup please.
Comment 9 Naohiro Aota gentoo-dev 2014-06-23 03:35:06 UTC 
ibus-1.5.{2,3,4-r1} and all old engines are dropped.