Red Hat Bugzilla – Bug 1027028
CVE-2013-4509 ibus: visible password entry flaw
Last modified: 2015-10-15 14:04:26 EDT
It was reported  that IBUS 1.5.4 (and possibly 1.5.2) do not properly obscure password entry if a special "intent" is not provided.
A fix in ibus-anthy  illustrates what is necessary to provide the input purpose for the gnome-shell password dialog. A similar patch exists for ibus-mozc .
The SUSE bug report notes the following engines are affected:
* ibus-anthy (upstream 1.5.4 is fixed; in current Fedora)
The vulnerability is in these engines due to the changes in IBUS, so it only affects these engines when IBUS >= 1.5.4 (or 1.5.2, it hasn't been determine precisely from what I can see) and GNOME 3.6+ are used together.
Created ibus-chewing tracking bugs for this issue:
Affects: fedora-all [bug 1027030]
Created ibus-pinyin tracking bugs for this issue:
Affects: fedora-all [bug 1027029]
[bug 1013398] is for ibus-kkc that I reported 1 month ago.
FYI, in [bug 1013299], I discussed further privacy impact of this issue when an arbitrary person can use an IME that is running under certain user's profile.
[bug 1013789] is for ibus-mozc, which has already been fixed.
ibus-pinyin-1.5.0-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
ibus-pinyin-1.5.0-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.