Bug 1150011 (CVE-2019-14822)

Summary: VUL-0: CVE-2019-14822: ibus: misconfiguration of the DBus server allows to unprivileged user could monitor and send method calls to the ibus bus of another user
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: abergmann, ftake, meissner, qzhao
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/242002/
Whiteboard: CVSSv3:SUSE:CVE-2019-14822:8.0:(AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H) CVSSv3:RedHat:CVE-2019-14822:5.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 11 Marcus Meissner 2019-09-13 08:31:48 UTC 
is public

From: Riccardo Schirone <rschiron@redhat.com>
Subject: [oss-security] CVE-2019-14822 ibus: missing authorization flaw
Date: Fri, 13 Sep 2019 09:18:08 +0200

A security flaw in ibus was reported by Simon McVittie (Collabora Ltd.). It was
discovered that any unprivileged user could monitor and send method calls to the
ibus bus of another user, due to a misconfiguration during the setup of the DBus
server. CVE-2019-14822 has been assigned to this flaw.

When ibus is in use, a local attacker, who discovers the UNIX socket used by
another user connected on a graphical environment, could use this flaw to
intercept all keystrokes of the victim user or modify input related
configurations through DBus method calls.

ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS,
and doesn't set a GDBusAuthObserver, which allows anyone who can connect to its
AF_UNIX socket to authenticate and be authorized to send method calls.

ibus can be manually selected by setting GTK_IM_MODLUE=ibus or it could be
automatically selected by graphical environments like Gnome, when input method
sources (e.g. Korean, Chinese input method sources) are in use. In these
cases, all the key strokes of the victim user are sent to the ibus interface
and they could be intercepted by an attacker.

Upstream fix:
https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151

Thanks,
-- 
Riccardo Schirone
Red Hat -- Product Security
Email: rschiron@redhat.com
PGP-Key ID: CF96E110
Comment 12 Swamp Workflow Management 2019-09-17 19:11:40 UTC 
SUSE-SU-2019:2387-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1150011
CVE References: CVE-2019-14822
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-ibus-1.5.17-5.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-ibus-1.5.17-5.3.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ibus-1.5.17-5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-09-17 19:14:15 UTC 
SUSE-SU-2019:2388-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1150011
CVE References: CVE-2019-14822
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ibus-1.5.8-10.4.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ibus-1.5.8-10.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-09-17 19:15:55 UTC 
SUSE-SU-2019:2389-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1150011
CVE References: CVE-2019-14822
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ibus-1.5.13-15.11.2
SUSE OpenStack Cloud 8 (src):    ibus-1.5.13-15.11.2
SUSE OpenStack Cloud 7 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server 12-SP5 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server 12-SP4 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Desktop 12-SP5 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    ibus-1.5.13-15.11.2
SUSE Enterprise Storage 5 (src):    ibus-1.5.13-15.11.2
SUSE Enterprise Storage 4 (src):    ibus-1.5.13-15.11.2
HPE Helion Openstack 8 (src):    ibus-1.5.13-15.11.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-09-20 22:11:50 UTC 
SUSE-SU-2019:2427-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1150011
CVE References: CVE-2019-14822
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ibus-1.5.19-8.3.1, python-ibus-1.5.19-8.3.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ibus-1.5.19-8.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-09-24 13:12:08 UTC 
openSUSE-SU-2019:2174-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1150011
CVE References: CVE-2019-14822
Sources used:
openSUSE Leap 15.0 (src):    ibus-1.5.17-lp150.4.3.1, python3-ibus-1.5.17-lp150.4.3.1
Comment 17 Swamp Workflow Management 2019-09-26 10:12:02 UTC 
openSUSE-SU-2019:2199-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1150011
CVE References: CVE-2019-14822
Sources used:
openSUSE Leap 15.1 (src):    ibus-1.5.19-lp151.2.3.1, python-ibus-1.5.19-lp151.2.3.1
Comment 18 Fuminobu Takeyama 2019-10-22 10:58:29 UTC 
The current fix released causes regression. See: https://bugzilla.opensuse.org/show_bug.cgi?id=1154725
Comment 20 Cliff Zhao 2019-12-05 03:05:29 UTC 
(In reply to Fuminobu Takeyama from comment #18)
> The current fix released causes regression. See:
> https://bugzilla.opensuse.org/show_bug.cgi?id=1154725

Does the latest tumbleweed have this problem?
Comment 21 Fuminobu Takeyama 2019-12-08 07:15:11 UTC 
(In reply to Cliff Zhao from comment #20)
> (In reply to Fuminobu Takeyama from comment #18)
> > The current fix released causes regression. See:
> > https://bugzilla.opensuse.org/show_bug.cgi?id=1154725
> 
> Does the latest tumbleweed have this problem?

Tumbleweed now does not have libglib 2.62.3. So the regression should not happens. (although this CVE bug have not been resolved yet)
Comment 22 Cliff Zhao 2019-12-09 02:45:47 UTC 
(In reply to Fuminobu Takeyama from comment #21)
> (In reply to Cliff Zhao from comment #20)
> > (In reply to Fuminobu Takeyama from comment #18)
> > > The current fix released causes regression. See:
> > > https://bugzilla.opensuse.org/show_bug.cgi?id=1154725
> > 
> > Does the latest tumbleweed have this problem?
> 
> Tumbleweed now does not have libglib 2.62.3. So the regression should not
> happens. (although this CVE bug have not been resolved yet)

Thanks for the reply. could you show me reproduce steps? Thanks!
Comment 23 Fuminobu Takeyama 2019-12-09 13:15:56 UTC 
(In reply to Cliff Zhao from comment #22)
> (In reply to Fuminobu Takeyama from comment #21)
> > (In reply to Cliff Zhao from comment #20)
> > > (In reply to Fuminobu Takeyama from comment #18)
> > > > The current fix released causes regression. See:
> > > > https://bugzilla.opensuse.org/show_bug.cgi?id=1154725
> > > 
> > > Does the latest tumbleweed have this problem?
> > 
> > Tumbleweed now does not have libglib 2.62.3. So the regression should not
> > happens. (although this CVE bug have not been resolved yet)
> 
> Thanks for the reply. could you show me reproduce steps? Thanks!

Just running Qt application (e.g. kate) under environment ibus is running.
Comment 24 Fuminobu Takeyama 2020-02-02 07:35:21 UTC 
The regression have been fixed for Leap 15.1.
Comment 25 Alexandros Toptsoglou 2020-04-24 15:57:27 UTC 
Done