Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 695526 (CVE-2019-14822)

Summary: <app-i18n/ibus-1.5.21-r1: Missing authorization allows local attacker to access the input bus of another user (CVE-2019-14822)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: cjk, leio
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2019/09/13/1
Whiteboard: B4 [noglsa]
Package list:
app-i18n/ibus-1.5.21-r1
Runtime testing required: ---
Bug Depends on: 700538    
Bug Blocks:    
Deadline: 2020-03-19   

Description GLSAMaker/CVETool Bot gentoo-dev 2019-09-24 11:45:46 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-09-24 11:47:35 UTC
From $URL:

A security flaw in ibus was reported by Simon McVittie (Collabora Ltd.). It was
discovered that any unprivileged user could monitor and send method calls to the
ibus bus of another user, due to a misconfiguration during the setup of the DBus
server. CVE-2019-14822 has been assigned to this flaw.

When ibus is in use, a local attacker, who discovers the UNIX socket used by
another user connected on a graphical environment, could use this flaw to
intercept all keystrokes of the victim user or modify input related
configurations through DBus method calls.

ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS,
and doesn't set a GDBusAuthObserver, which allows anyone who can connect to its
AF_UNIX socket to authenticate and be authorized to send method calls.

ibus can be manually selected by setting GTK_IM_MODLUE=ibus or it could be
automatically selected by graphical environments like Gnome, when input method
sources (e.g. Korean, Chinese input method sources) are in use. In these
cases, all the key strokes of the victim user are sent to the ibus interface
and they could be intercepted by an attacker.

Upstream fix:
https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151

See: https://github.com/ibus/ibus/issues/2137
Comment 2 Arfrever Frehtes Taifersar Arahesis 2019-11-19 02:50:54 UTC
(In reply to Thomas Deutschmann from comment #1)

> See: https://github.com/ibus/ibus/issues/2137

Fixes for dev-libs/glib need to be backported (bug #700538) before fixing app-i18n/ibus.
Comment 3 Mart Raudsepp gentoo-dev 2020-01-01 15:44:04 UTC
You have my ACK for stabilizing dev-libs/glib-2.60.7-r1 together with upcoming ibus fixed version. For all arches that have it stable, not just those arches that ibus is stable on. I've added glib to package list with full arches list for you - make sure to CC all those arches please once ibus is ready and also listed with its slightly smaller list of arches in package list.
Comment 4 Larry the Git Cow gentoo-dev 2020-03-15 20:51:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aad7f73916c6a74d891b5b949138beed3accd9b8

commit aad7f73916c6a74d891b5b949138beed3accd9b8
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-15 20:51:35 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-15 20:51:45 +0000

    app-i18n/ibus: bump to v1.5.22
    
    Non-maintainer bump. Migrated to EAPI 7.
    
    Bug: https://bugs.gentoo.org/695526
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-i18n/ibus/Manifest           |   1 +
 app-i18n/ibus/ibus-1.5.22.ebuild | 179 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 180 insertions(+)
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 20:54:47 UTC
Let's wait a few days due to non-maintainer upload.
Comment 6 Yixun Lan archtester gentoo-dev 2020-03-16 15:09:26 UTC
@whissi thanks for bumping the package!

here is the plan:
given 1.5.22 is a major version bump which bring a lot commits/changes
let's make a security bump in 1.5.21 and do a fast stabilization,
so we can give 1.5.22 more time for testing
Comment 7 Larry the Git Cow gentoo-dev 2020-03-16 15:14:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a274fc8a5fd7791e5292e72f48586de6e503ef48

commit a274fc8a5fd7791e5292e72f48586de6e503ef48
Author:     Yixun Lan <dlan@gentoo.org>
AuthorDate: 2019-11-19 06:15:46 +0000
Commit:     Yixun Lan <dlan@gentoo.org>
CommitDate: 2020-03-16 15:14:13 +0000

    app-i18n/ibus: fix missing authorization error
    
    Bug: https://bugs.gentoo.org/695526
    Package-Manager: Portage-2.3.79, Repoman-2.3.18
    Signed-off-by: Yixun Lan <dlan@gentoo.org>

 .../ibus/files/ibus-1.5.21-fix-authorization.patch | 175 +++++++++++++++++++++
 .../{ibus-1.5.21.ebuild => ibus-1.5.21-r1.ebuild}  |   1 +
 2 files changed, 176 insertions(+)
Comment 8 Mart Raudsepp gentoo-dev 2020-03-16 22:13:01 UTC
Needed glib is long stable through other bugs by now (just not hppa, but not needed for ibus and they are slacking on some non-security bug for that).
Comment 9 Mart Raudsepp gentoo-dev 2020-03-16 22:16:47 UTC
This bug is blocking a stabilization bug of old (technically correct - that bug was requesting a still security vulnerable newer version to go stable), and there's no stabilization ongoing at all still.
Please fix the package list to list the desired revision instead and actually CC necessary arches if this is good to go now with the more conservative approach.
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-20 08:59:28 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-20 09:05:08 UTC
x86 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-03-20 11:14:50 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-03-20 14:15:17 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-03-20 14:15:45 UTC
ppc64 stable
Comment 15 Mart Raudsepp gentoo-dev 2020-03-22 07:47:54 UTC
arm64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2020-03-22 10:33:33 UTC
ppc stable
Comment 17 Agostino Sarubbo gentoo-dev 2020-03-25 08:13:01 UTC
arm stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 18 Larry the Git Cow gentoo-dev 2020-03-25 19:11:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ee2d0246aa5a6adb8a8c954fd38209e28a01008

commit 6ee2d0246aa5a6adb8a8c954fd38209e28a01008
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-25 19:10:45 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-25 19:10:45 +0000

    app-i18n/ibus: security cleanup (bug #695526)
    
    Bug: https://bugs.gentoo.org/695526
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-i18n/ibus/Manifest                             |   3 -
 .../ibus-1.5.18-enable-gsettings-in-runtest.patch  |  62 -------
 app-i18n/ibus/files/ibus-1.5.19-gdk-wayland.patch  |  88 ----------
 app-i18n/ibus/files/ibus-1.5.19-vala-0.43.4.patch  | 191 --------------------
 app-i18n/ibus/ibus-1.5.18.ebuild                   | 189 --------------------
 app-i18n/ibus/ibus-1.5.19.ebuild                   | 193 ---------------------
 app-i18n/ibus/ibus-1.5.20.ebuild                   | 181 -------------------
 7 files changed, 907 deletions(-)
Comment 19 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 19:11:41 UTC
GLSA Vote: No

Repository is clean, all done!