Bug 1027028 (CVE-2013-4509)

Summary: CVE-2013-4509 ibus: visible password entry flaw
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dchen, eng-i18n-bugs, i18n-bugs, jkurik, jrusnack, pfrields, pwu, shawn.p.huang, tagoh, tfujiwar, yukawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 13:44:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1027029, 1027030, 1027031    
Bug Blocks:    

Description Vincent Danen 2013-11-05 23:17:46 UTC 
It was reported [1] that IBUS 1.5.4 (and possibly 1.5.2) do not properly obscure password entry if a special "intent" is not provided.

A fix in ibus-anthy [2] illustrates what is necessary to provide the input purpose for the gnome-shell password dialog.  A similar patch exists for ibus-mozc [3].

The SUSE bug report notes the following engines are affected:

* ibus-mozc
* ibus-anthy (upstream 1.5.4 is fixed; in current Fedora)
* ibus-pinyin
* ibus-chewing

The vulnerability is in these engines due to the changes in IBUS, so it only affects these engines when IBUS >= 1.5.4 (or 1.5.2, it hasn't been determine precisely from what I can see) and GNOME 3.6+ are used together.

[1] https://bugzilla.novell.com/show_bug.cgi?id=847718
[2] https://github.com/ibus/ibus-anthy/commit/6aae0a9f145f536515e268dd6b25aa740a5edfe7
[3] https://code.google.com/p/mozc/issues/attachmentText?id=199&aid=1990002000&name=ibus-mozc_support_ibus-1.5.4_rev2.diff&token=P62umpXGXx68XJT6zyvBA727wqE%3A1383693105690
Comment 2 Vincent Danen 2013-11-05 23:19:40 UTC 
Created ibus-chewing tracking bugs for this issue:

Affects: fedora-all [bug 1027030]
Comment 3 Vincent Danen 2013-11-05 23:19:47 UTC 
Created ibus-pinyin tracking bugs for this issue:

Affects: fedora-all [bug 1027029]
Comment 4 Yohei Yukawa 2013-11-06 11:55:07 UTC 
[bug 1013398] is for ibus-kkc that I reported 1 month ago.

FYI, in [bug 1013299], I discussed further privacy impact of this issue when an arbitrary person can use an IME that is running under certain user's profile.
Comment 5 Yohei Yukawa 2013-11-06 12:16:12 UTC 
[bug 1013789] is for ibus-mozc, which has already been fixed.
Comment 6 Fedora Update System 2013-11-14 03:38:35 UTC 
ibus-pinyin-1.5.0-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-11-19 05:26:20 UTC 
ibus-pinyin-1.5.0-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.