It was reported [1] that IBUS 1.5.4 (and possibly 1.5.2) do not properly obscure password entry if a special "intent" is not provided. A fix in ibus-anthy [2] illustrates what is necessary to provide the input purpose for the gnome-shell password dialog. A similar patch exists for ibus-mozc [3]. The SUSE bug report notes the following engines are affected: * ibus-mozc * ibus-anthy (upstream 1.5.4 is fixed; in current Fedora) * ibus-pinyin * ibus-chewing The vulnerability is in these engines due to the changes in IBUS, so it only affects these engines when IBUS >= 1.5.4 (or 1.5.2, it hasn't been determine precisely from what I can see) and GNOME 3.6+ are used together. [1] https://bugzilla.novell.com/show_bug.cgi?id=847718 [2] https://github.com/ibus/ibus-anthy/commit/6aae0a9f145f536515e268dd6b25aa740a5edfe7 [3] https://code.google.com/p/mozc/issues/attachmentText?id=199&aid=1990002000&name=ibus-mozc_support_ibus-1.5.4_rev2.diff&token=P62umpXGXx68XJT6zyvBA727wqE%3A1383693105690
Created ibus-chewing tracking bugs for this issue: Affects: fedora-all [bug 1027030]
Created ibus-pinyin tracking bugs for this issue: Affects: fedora-all [bug 1027029]
[bug 1013398] is for ibus-kkc that I reported 1 month ago. FYI, in [bug 1013299], I discussed further privacy impact of this issue when an arbitrary person can use an IME that is running under certain user's profile.
[bug 1013789] is for ibus-mozc, which has already been fixed.
ibus-pinyin-1.5.0-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
ibus-pinyin-1.5.0-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.