PublicDateAtUSN: 2019-09-13 07:00:00 UTC Candidate: CVE-2019-14822 CRD: 2019-09-13 07:00:00 UTC PublicDate: 2019-11-25 12:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14822 https://www.openwall.com/lists/oss-security/2019/09/13/1 https://ubuntu.com/security/notices/USN-4134-1 https://ubuntu.com/security/notices/USN-4134-2 https://ubuntu.com/security/notices/USN-4134-3 Description: A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user. Ubuntu-Description: Simon McVittie discovered that ibus did not enforce appropriate access controls on its private D-Bus socket. A local unprivileged user who discovers the ibus socket address of another user could exploit this to capture the key strokes of the other user. Notes: amurray> The ibus D-Bus socket address contains a long random guid making discovery of this address by another user unlikely. mdeslaur> this was reverted in 4134-2 because of a regression, see LP bug Mitigation: Bugs: https://bugs.launchpad.net/ubuntu/+source/ibus/+bug/1844853 (regression) Priority: medium Discovered-by: Simon McVittie Assigned-to: amurray CVSS: nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N [7.1 HIGH] Patches_ibus: upstream: https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151 upstream_ibus: needs-triage precise/esm_ibus: DNE trusty_ibus: ignored (out of standard support) trusty/esm_ibus: DNE xenial_ibus: released (1.5.11-1ubuntu2.4) esm-infra/xenial_ibus: released (1.5.11-1ubuntu2.4) bionic_ibus: released (1.5.17-3ubuntu5.3) disco_ibus: ignored (reached end-of-life) eoan_ibus: released (1.5.21-1~exp2ubuntu2.1) devel_ibus: not-affected (1.5.22-1~exp1ubuntu1)