Incoming details.
From $URL: A security flaw in ibus was reported by Simon McVittie (Collabora Ltd.). It was discovered that any unprivileged user could monitor and send method calls to the ibus bus of another user, due to a misconfiguration during the setup of the DBus server. CVE-2019-14822 has been assigned to this flaw. When ibus is in use, a local attacker, who discovers the UNIX socket used by another user connected on a graphical environment, could use this flaw to intercept all keystrokes of the victim user or modify input related configurations through DBus method calls. ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS, and doesn't set a GDBusAuthObserver, which allows anyone who can connect to its AF_UNIX socket to authenticate and be authorized to send method calls. ibus can be manually selected by setting GTK_IM_MODLUE=ibus or it could be automatically selected by graphical environments like Gnome, when input method sources (e.g. Korean, Chinese input method sources) are in use. In these cases, all the key strokes of the victim user are sent to the ibus interface and they could be intercepted by an attacker. Upstream fix: https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151 See: https://github.com/ibus/ibus/issues/2137
(In reply to Thomas Deutschmann from comment #1) > See: https://github.com/ibus/ibus/issues/2137 Fixes for dev-libs/glib need to be backported (bug #700538) before fixing app-i18n/ibus.
You have my ACK for stabilizing dev-libs/glib-2.60.7-r1 together with upcoming ibus fixed version. For all arches that have it stable, not just those arches that ibus is stable on. I've added glib to package list with full arches list for you - make sure to CC all those arches please once ibus is ready and also listed with its slightly smaller list of arches in package list.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aad7f73916c6a74d891b5b949138beed3accd9b8 commit aad7f73916c6a74d891b5b949138beed3accd9b8 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-15 20:51:35 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-15 20:51:45 +0000 app-i18n/ibus: bump to v1.5.22 Non-maintainer bump. Migrated to EAPI 7. Bug: https://bugs.gentoo.org/695526 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-i18n/ibus/Manifest | 1 + app-i18n/ibus/ibus-1.5.22.ebuild | 179 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 180 insertions(+)
Let's wait a few days due to non-maintainer upload.
@whissi thanks for bumping the package! here is the plan: given 1.5.22 is a major version bump which bring a lot commits/changes let's make a security bump in 1.5.21 and do a fast stabilization, so we can give 1.5.22 more time for testing
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a274fc8a5fd7791e5292e72f48586de6e503ef48 commit a274fc8a5fd7791e5292e72f48586de6e503ef48 Author: Yixun Lan <dlan@gentoo.org> AuthorDate: 2019-11-19 06:15:46 +0000 Commit: Yixun Lan <dlan@gentoo.org> CommitDate: 2020-03-16 15:14:13 +0000 app-i18n/ibus: fix missing authorization error Bug: https://bugs.gentoo.org/695526 Package-Manager: Portage-2.3.79, Repoman-2.3.18 Signed-off-by: Yixun Lan <dlan@gentoo.org> .../ibus/files/ibus-1.5.21-fix-authorization.patch | 175 +++++++++++++++++++++ .../{ibus-1.5.21.ebuild => ibus-1.5.21-r1.ebuild} | 1 + 2 files changed, 176 insertions(+)
Needed glib is long stable through other bugs by now (just not hppa, but not needed for ibus and they are slacking on some non-security bug for that).
This bug is blocking a stabilization bug of old (technically correct - that bug was requesting a still security vulnerable newer version to go stable), and there's no stabilization ongoing at all still. Please fix the package list to list the desired revision instead and actually CC necessary arches if this is good to go now with the more conservative approach.
amd64 stable
x86 stable
sparc stable
ia64 stable
ppc64 stable
arm64 stable
ppc stable
arm stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ee2d0246aa5a6adb8a8c954fd38209e28a01008 commit 6ee2d0246aa5a6adb8a8c954fd38209e28a01008 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-25 19:10:45 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-25 19:10:45 +0000 app-i18n/ibus: security cleanup (bug #695526) Bug: https://bugs.gentoo.org/695526 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-i18n/ibus/Manifest | 3 - .../ibus-1.5.18-enable-gsettings-in-runtest.patch | 62 ------- app-i18n/ibus/files/ibus-1.5.19-gdk-wayland.patch | 88 ---------- app-i18n/ibus/files/ibus-1.5.19-vala-0.43.4.patch | 191 -------------------- app-i18n/ibus/ibus-1.5.18.ebuild | 189 -------------------- app-i18n/ibus/ibus-1.5.19.ebuild | 193 --------------------- app-i18n/ibus/ibus-1.5.20.ebuild | 181 ------------------- 7 files changed, 907 deletions(-)
GLSA Vote: No Repository is clean, all done!
