It was reported [1] that IBUS 1.5.4 (and possibly 1.5.2) do not properly obscure password entry if a special "intent" is not provided. A fix in ibus-anthy [2] illustrates what is necessary to provide the input purpose for the gnome-shell password dialog. A similar patch exists for ibus-mozc [3]. The SUSE bug report notes the following engines are affected: * ibus-mozc * ibus-anthy (upstream 1.5.4 is fixed; in current Fedora) * ibus-pinyin * ibus-chewing The vulnerability is in these engines due to the changes in IBUS, so it only affects these engines when IBUS >= 1.5.4 (or 1.5.2, it hasn't been determine precisely from what I can see) and GNOME 3.6+ are used together. [1] https://bugzilla.novell.com/show_bug.cgi?id=847718 [2] https://github.com/ibus/ibus-anthy/commit/6aae0a9f145f536515e268dd6b25aa740a5edfe7 [3] https://code.google.com/p/mozc/issues/attachmentText?id=199&aid=1990002000&name=ibus-mozc_support_ibus-1.5.4_rev2.diff&token=P62umpXGXx68XJT6zyvBA727wqE%3A1383693105690
CVE-2013-4509 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4509): The default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlier, when IBus.InputPurpose.PASSWORD is not set and used with GNOME 3, does not obscure the entered password characters, which allows physically proximate attackers to obtain a user password by reading the lockscreen.
Patch available: https://bugzilla.redhat.com/show_bug.cgi?id=1027028
* ibus-anthy: bumped to 1.5.4 * ibus-mozc: applied a patch
Fixed Versions List so we can keep track easily: * ibus-mozc - Fixed in mozc-1.10.1390.102-r1 (No stable versions / no need to stable) * ibus-anthy - Fixed in ibus-anthy-1.5.4 (No stable versions for 1.5 tree / no need to stable) * ibus-pinyin - Pending * ibus-chewing - Pending
(In reply to Yury German from comment #4) > * ibus-pinyin - Pending > > * ibus-chewing - Pending Upstream patch applied for these: ibus-pinyin-1.4.0 and ibus-chewing-1.4.3-r1.
Thank you for update Maintainer(s), please drop the vulnerable version(s) of all 4 packages listed.
No stable versions, for the trees specified noglsa needed.
@mainainers: ping, cleanup please.
ibus-1.5.{2,3,4-r1} and all old engines are dropped.