Bug 1150011 – VUL-0: CVE-2019-14822: ibus: misconfiguration of the DBus server allows to unprivileged user could monitor and send method calls to the ibus bus of another user

Bug 1150011 - (CVE-2019-14822) VUL-0: CVE-2019-14822: ibus: misconfiguration of the DBus server allows to unprivileged user could monitor and send method calls to the ibus bus of another user

(CVE-2019-14822)
Summary:	VUL-0: CVE-2019-14822: ibus: misconfiguration of the DBus server allows to u...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/242002/
Whiteboard:	CVSSv3:SUSE:CVE-2019-14822:8.0:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-09-09 12:35 UTC by Alexandros Toptsoglou
Modified:	2020-04-24 15:57 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 11 Marcus Meissner 2019-09-13 08:31:48 UTC

is public

From: Riccardo Schirone <rschiron@redhat.com>
Subject: [oss-security] CVE-2019-14822 ibus: missing authorization flaw
Date: Fri, 13 Sep 2019 09:18:08 +0200

A security flaw in ibus was reported by Simon McVittie (Collabora Ltd.). It was
discovered that any unprivileged user could monitor and send method calls to the
ibus bus of another user, due to a misconfiguration during the setup of the DBus
server. CVE-2019-14822 has been assigned to this flaw.

When ibus is in use, a local attacker, who discovers the UNIX socket used by
another user connected on a graphical environment, could use this flaw to
intercept all keystrokes of the victim user or modify input related
configurations through DBus method calls.

ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS,
and doesn't set a GDBusAuthObserver, which allows anyone who can connect to its
AF_UNIX socket to authenticate and be authorized to send method calls.

ibus can be manually selected by setting GTK_IM_MODLUE=ibus or it could be
automatically selected by graphical environments like Gnome, when input method
sources (e.g. Korean, Chinese input method sources) are in use. In these
cases, all the key strokes of the victim user are sent to the ibus interface
and they could be intercepted by an attacker.

Upstream fix:
https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151

Thanks,
-- 
Riccardo Schirone
Red Hat -- Product Security
Email: rschiron@redhat.com
PGP-Key ID: CF96E110

Comment 12 Swamp Workflow Management 2019-09-17 19:11:40 UTC

SUSE-SU-2019:2387-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1150011
CVE References: CVE-2019-14822
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-ibus-1.5.17-5.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-ibus-1.5.17-5.3.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ibus-1.5.17-5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2019-09-17 19:14:15 UTC

SUSE-SU-2019:2388-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1150011
CVE References: CVE-2019-14822
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ibus-1.5.8-10.4.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ibus-1.5.8-10.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2019-09-17 19:15:55 UTC

SUSE-SU-2019:2389-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1150011
CVE References: CVE-2019-14822
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ibus-1.5.13-15.11.2
SUSE OpenStack Cloud 8 (src):    ibus-1.5.13-15.11.2
SUSE OpenStack Cloud 7 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server 12-SP5 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server 12-SP4 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Desktop 12-SP5 (src):    ibus-1.5.13-15.11.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    ibus-1.5.13-15.11.2
SUSE Enterprise Storage 5 (src):    ibus-1.5.13-15.11.2
SUSE Enterprise Storage 4 (src):    ibus-1.5.13-15.11.2
HPE Helion Openstack 8 (src):    ibus-1.5.13-15.11.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2019-09-20 22:11:50 UTC

SUSE-SU-2019:2427-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1150011
CVE References: CVE-2019-14822
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ibus-1.5.19-8.3.1, python-ibus-1.5.19-8.3.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ibus-1.5.19-8.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2019-09-24 13:12:08 UTC

openSUSE-SU-2019:2174-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1150011
CVE References: CVE-2019-14822
Sources used:
openSUSE Leap 15.0 (src):    ibus-1.5.17-lp150.4.3.1, python3-ibus-1.5.17-lp150.4.3.1

Comment 17 Swamp Workflow Management 2019-09-26 10:12:02 UTC

openSUSE-SU-2019:2199-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1150011
CVE References: CVE-2019-14822
Sources used:
openSUSE Leap 15.1 (src):    ibus-1.5.19-lp151.2.3.1, python-ibus-1.5.19-lp151.2.3.1

Comment 18 Fuminobu Takeyama 2019-10-22 10:58:29 UTC

The current fix released causes regression. See: https://bugzilla.opensuse.org/show_bug.cgi?id=1154725

Comment 20 Cliff Zhao 2019-12-05 03:05:29 UTC

(In reply to Fuminobu Takeyama from comment #18)
> The current fix released causes regression. See:
> https://bugzilla.opensuse.org/show_bug.cgi?id=1154725

Does the latest tumbleweed have this problem?

Comment 21 Fuminobu Takeyama 2019-12-08 07:15:11 UTC

(In reply to Cliff Zhao from comment #20)
> (In reply to Fuminobu Takeyama from comment #18)
> > The current fix released causes regression. See:
> > https://bugzilla.opensuse.org/show_bug.cgi?id=1154725
> 
> Does the latest tumbleweed have this problem?

Tumbleweed now does not have libglib 2.62.3. So the regression should not happens. (although this CVE bug have not been resolved yet)

Comment 22 Cliff Zhao 2019-12-09 02:45:47 UTC

(In reply to Fuminobu Takeyama from comment #21)
> (In reply to Cliff Zhao from comment #20)
> > (In reply to Fuminobu Takeyama from comment #18)
> > > The current fix released causes regression. See:
> > > https://bugzilla.opensuse.org/show_bug.cgi?id=1154725
> > 
> > Does the latest tumbleweed have this problem?
> 
> Tumbleweed now does not have libglib 2.62.3. So the regression should not
> happens. (although this CVE bug have not been resolved yet)

Thanks for the reply. could you show me reproduce steps? Thanks!

Comment 23 Fuminobu Takeyama 2019-12-09 13:15:56 UTC

(In reply to Cliff Zhao from comment #22)
> (In reply to Fuminobu Takeyama from comment #21)
> > (In reply to Cliff Zhao from comment #20)
> > > (In reply to Fuminobu Takeyama from comment #18)
> > > > The current fix released causes regression. See:
> > > > https://bugzilla.opensuse.org/show_bug.cgi?id=1154725
> > > 
> > > Does the latest tumbleweed have this problem?
> > 
> > Tumbleweed now does not have libglib 2.62.3. So the regression should not
> > happens. (although this CVE bug have not been resolved yet)
> 
> Thanks for the reply. could you show me reproduce steps? Thanks!

Just running Qt application (e.g. kate) under environment ibus is running.

Comment 24 Fuminobu Takeyama 2020-02-02 07:35:21 UTC

The regression have been fixed for Leap 15.1.

Comment 25 Alexandros Toptsoglou 2020-04-24 15:57:27 UTC

Done