Bug 1027028 (CVE-2013-4509)

Summary: CVE-2013-4509 ibus: visible password entry flaw
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dchen, eng-i18n-bugs, i18n-bugs, jkurik, jrusnack, pfrields, pwu, shawn.p.huang, tagoh, tfujiwar, yukawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20131025,reported=20131104,source=oss-security,cvss2=1.9/AV:L/AC:M/Au:N/C:P/I:N/A:N,fedora-all/ibus-anthy=notaffected,fedora-all/ibus-pinyin=affected,fedora-all/ibus-chewing=affected,rhel-7/ibus-chewing=notaffected,rhel-6/ibus-anthy=notaffected,rhel-6/ibus-pinyin=notaffected,rhel-6/ibus-chewing=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 09:44:15 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1027029, 1027030, 1027031    
Bug Blocks:    

Description Vincent Danen 2013-11-05 18:17:46 EST
It was reported [1] that IBUS 1.5.4 (and possibly 1.5.2) do not properly obscure password entry if a special "intent" is not provided.

A fix in ibus-anthy [2] illustrates what is necessary to provide the input purpose for the gnome-shell password dialog.  A similar patch exists for ibus-mozc [3].

The SUSE bug report notes the following engines are affected:

* ibus-mozc
* ibus-anthy (upstream 1.5.4 is fixed; in current Fedora)
* ibus-pinyin
* ibus-chewing

The vulnerability is in these engines due to the changes in IBUS, so it only affects these engines when IBUS >= 1.5.4 (or 1.5.2, it hasn't been determine precisely from what I can see) and GNOME 3.6+ are used together.

[1] https://bugzilla.novell.com/show_bug.cgi?id=847718
[2] https://github.com/ibus/ibus-anthy/commit/6aae0a9f145f536515e268dd6b25aa740a5edfe7
[3] https://code.google.com/p/mozc/issues/attachmentText?id=199&aid=1990002000&name=ibus-mozc_support_ibus-1.5.4_rev2.diff&token=P62umpXGXx68XJT6zyvBA727wqE%3A1383693105690
Comment 2 Vincent Danen 2013-11-05 18:19:40 EST
Created ibus-chewing tracking bugs for this issue:

Affects: fedora-all [bug 1027030]
Comment 3 Vincent Danen 2013-11-05 18:19:47 EST
Created ibus-pinyin tracking bugs for this issue:

Affects: fedora-all [bug 1027029]
Comment 4 Yohei Yukawa 2013-11-06 06:55:07 EST
[bug 1013398] is for ibus-kkc that I reported 1 month ago.

FYI, in [bug 1013299], I discussed further privacy impact of this issue when an arbitrary person can use an IME that is running under certain user's profile.
Comment 5 Yohei Yukawa 2013-11-06 07:16:12 EST
[bug 1013789] is for ibus-mozc, which has already been fixed.
Comment 6 Fedora Update System 2013-11-13 22:38:35 EST
ibus-pinyin-1.5.0-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-11-19 00:26:20 EST
ibus-pinyin-1.5.0-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.