Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 695702 - app-i18n/librime writes sensitive information to world readable /tmp/${application_name}.INFO (e.g. /tmp/rime.fcitx-rime.INFO or /tmp/ibus.INFO)
Summary: app-i18n/librime writes sensitive information to world readable /tmp/${applic...
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: [glsa?]
Keywords:
Depends on: 704258
Blocks:
  Show dependency tree
 
Reported: 2019-09-27 02:28 UTC by OwenJia
Modified: 2020-01-19 03:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description OwenJia 2019-09-27 02:28:13 UTC
every time when I typing some word, its generate log(/tmp/rime.fcitx-rime.INFO) like this:

I0224 01:08:53.890812  8381 user_dictionary.cc:219] forward scanning for 'cun en '.
I0224 01:08:53.890826  8381 user_dictionary.cc:196] prefix: 'cun ', syll_id: 85, num_spellings: 1
I0224 01:08:53.890836  8381 user_dictionary.cc:217] edge: [1, 2)
I0224 01:08:53.890843  8381 user_dictionary.cc:219] forward scanning for 'cun eng '.
I0224 01:08:53.890857  8381 user_dictionary.cc:196] prefix: 'cun ', syll_id: 86, num_spellings: 1
I0224 01:08:53.890867  8381 user_dictionary.cc:217] edge: [1, 2)
I0224 01:08:53.890875  8381 user_dictionary.cc:219] forward scanning for 'cun er '.
I0224 01:08:53.890889  8381 user_dictionary.cc:196] prefix: '', syll_id: 56, num_spellings: 1
I0224 01:08:53.890898  8381 user_dictionary.cc:217] edge: [0, 1)
I0224 01:08:53.890906  8381 user_dictionary.cc:219] forward scanning for 'cuo '.
I0224 01:08:53.890938  8381 menu.cc:22] 1 translations added.
I0224 01:08:53.890954  8381 dictionary.cc:95] creating temporary dict entry '測試'.
I0224 01:08:53.890969  8381 script_translator.cc:483] phrase '測試', code length: 1
I0224 01:08:53.890998  8381 dictionary.cc:95] creating temporary dict entry '廁所'.
I0224 01:08:53.891011  8381 script_translator.cc:483] phrase '廁所', code length: 1
I0224 01:08:53.891062  8381 menu.cc:30] preparing 1 candidates.
I0224 01:08:53.891074  8381 dictionary.cc:95] creating temporary dict entry '測算'.
I0224 01:08:53.891096  8381 script_translator.cc:483] phrase '測算', code length: 1
I0224 01:08:53.891052  8381 engine.cc:159] composition: {abc}ces=>测试
I0224 01:08:53.891111  8381 key_binding_processor_impl.h:49] action key accepted: BackSpace
I0224 01:08:53.891134  8381 menu.cc:30] preparing 5 candidates.
I0224 01:08:53.891140  8381 dictionary.cc:95] creating temporary dict entry '測速'.
I0224 01:08:53.891152  8381 script_translator.cc:483] phrase '測速', code length: 1
I0224 01:08:53.891166  8381 dictionary.cc:95] creating temporary dict entry '側身'.


that actually what I am typing, and every user on the machine can read it, its not just a bug, it a security hole.


Workaround:
add -DENABLE_LOGGING=OFF to mycmakeargs, then rebuild it.

Reproducible: Always

Steps to Reproduce:
1.just install ime which using librime and typing (eg. fcitx-rime, fcitx5-rime)

Actual Results:  
generated log with personal sensitive information

Expected Results:  
no log or not include sensitive information
Comment 1 OwenJia 2019-09-27 02:59:50 UTC
the workaround only test on librime-1.4.0, cause 1.5.3 can not work, it's just crash.
Comment 2 Arfrever Frehtes Taifersar Arahesis 2019-09-29 02:43:49 UTC
Problem is for upstream to solve.

ENABLE_LOGGING=ON is default.
ENABLE_LOGGING=ON enables dependency on Glog.

Other distributions have LibRIME with dependency on Glog and no -DENABLE_LOGGING=OFF passed to cmake:
Arch Linux:
  https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/librime
Debian:
  https://salsa.debian.org/input-method-team/librime/blob/master/debian/control
  https://salsa.debian.org/input-method-team/librime/blob/master/debian/rules
Fedora:
  https://apps.fedoraproject.org/packages/librime/sources/spec

Glog provides possibility to configure various things, including log level, log directory and log file mode bits:
https://github.com/google/glog/blob/master/doc/glog.html
https://github.com/google/glog/blob/master/src/glog/logging.h.in
https://github.com/google/glog/blob/4db06313464dadb5c5ca2619f3a461f0b61a07dc/src/glog/logging.h.in#L356-L365
https://github.com/google/glog/blob/master/src/logging.cc
https://github.com/google/glog/blob/e5588de96d5305d5da00ad32bc31fda0864f3bfc/src/logging.cc#L134-L135
https://github.com/google/glog/blob/e5588de96d5305d5da00ad32bc31fda0864f3bfc/src/logging.cc#L149-L167

So LibRIME source code should set appropriate variable (at least FLAGS_logfile_mode=0600 to avoid security problem).

In case of log directory, LibRIME could expose ability for its users (e.g. Fcitx-RIME, IBus-RIME) to set log directory. 
E.g. Fcitx scarcely uses ~/.config/fcitx/log directory, so this location could be set by Fcitx-RIME.

Ideally logging level would be configurable in relevant GUI configuration editors of Fcitx-RIME and IBus-RIME...
Comment 3 Arfrever Frehtes Taifersar Arahesis 2019-09-29 03:08:24 UTC
(In reply to OwenJia from comment #1)
> 1.5.3 can not work, it's just crash.

It was probably bug #692950.
After updating dev-libs/darts and rebuilding app-i18n/librime-1.5.3, app-i18n/librime-1.5.3 is likely to work.
Comment 4 Arfrever Frehtes Taifersar Arahesis 2019-09-29 07:22:31 UTC
https://github.com/rime/librime/issues/316

(Please test if my patch from this upstream bug works for you.)
Comment 5 Larry the Git Cow gentoo-dev 2019-12-29 19:33:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d149e41c89b85dff47bd5cdc332e6c0817acdd72

commit d149e41c89b85dff47bd5cdc332e6c0817acdd72
Author:     Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
AuthorDate: 2019-12-23 21:18:36 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-12-29 19:31:34 +0000

    app-i18n/librime: Set secure mode of log files.
    
    Bug: https://bugs.gentoo.org/695702
    Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 app-i18n/librime/files/librime-1.5.3-log_files_mode.patch  | 14 ++++++++++++++
 .../{librime-1.5.3.ebuild => librime-1.5.3-r1.ebuild}      |  6 +++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=313353afecffe37667c99824285f012d0b342676

commit 313353afecffe37667c99824285f012d0b342676
Author:     Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
AuthorDate: 2019-12-23 21:16:10 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-12-29 19:31:34 +0000

    app-i18n/librime: Add "debug" USE flag.
    
    Bug: https://bugs.gentoo.org/695702
    Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 app-i18n/librime/librime-1.5.3.ebuild | 8 +++++++-
 app-i18n/librime/metadata.xml         | 3 +++
 2 files changed, 10 insertions(+), 1 deletion(-)
Comment 6 Arfrever Frehtes Taifersar Arahesis 2019-12-30 10:39:47 UTC
Upstream recomments to have logging enabled (ENABLE_LOGGING=ON), but to disable debugging-level logging.
Debugging-level logging is now controlled by "debug" USE flag, which is disabled by default.
All logs are now created with 0600 mode for increased security.