CVE-2019-14822

Priority
Description
A flaw was discovered in ibus that allows any unprivileged user to monitor
and send method calls to the ibus bus of another user due to a
misconfiguration in the DBus server setup. A local attacker may use this
flaw to intercept all keystrokes of a victim user who is using the
graphical interface, change the input method engine, or modify other input
related configurations of the victim user.
Ubuntu-Description
Simon McVittie discovered that ibus did not enforce appropriate access
controls on its private D-Bus socket. A local unprivileged user who
discovers the ibus socket address of another user could exploit this to
capture the key strokes of the other user.
Assigned-to
amurray
Notes
amurrayThe ibus D-Bus socket address contains a long random guid making
discovery of this address by another user unlikely.
mdeslaurthis was reverted in 4134-2 because of a regression, see LP bug
Package
Source: ibus (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 (Focal Fossa):needed
Patches:
Upstream:https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151
More Information

Updated: 2019-12-05 20:01:00 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)