ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS, and doesn't set a GDBusAuthObserver, which allows anyone who can connect to its AF_UNIX socket to authenticate and be authorized to send method calls. It also seems to use an abstract AF_UNIX socket, which does not have filesystem permissions, so the practical effect might be that a local attacker can connect to another user's ibus service and make arbitrary method calls.
An attacker who can access the AF_UNIX socket of another user could use it to monitor all the DBus methods called on the bus or call most available methods without any authorization check. This flaw could be used to intercept all the key strokes of a user connected to the graphical interface (e.g. gnome), change input context and perform other operations regularly done by the ibus command.
Acknowledgments: Name: Simon McVittie (Collabora Ltd.)
ibus receives the pressed key events only if an ibus Input Method (IM) framework is in use (e.g. Korean from the ibus-hangul package, Chinese input methods from the ibus-libpinyin, etc.), otherwise the Gnome uses other input frameworks (e.g. gtk-im-context-simple). Thus, the ability of an attacker to intercept the pressed keys depends on the Input Method configuration in use by the victim user.
Statement: Gnome uses the ibus input framework only when the user explicitly configures it or when some input method sources are in use, like Korean from the ibus-hangul package or Chinese input methods from the ibus-libpinyin. Input methods like en-US are not handled by ibus, thus if the victim user just use them the attacker will not be able to intercept the key strokes of that user.
Upstream patch: https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151
Created ibus tracking bugs for this issue: Affects: fedora-all [bug 1751940]
oss-security email: https://www.openwall.com/lists/oss-security/2019/09/13/1
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1880 https://access.redhat.com/errata/RHSA-2020:1880
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14822
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3978 https://access.redhat.com/errata/RHSA-2020:3978