CVE-2019-14822

Priority
Description
[ibus uses a GDBusServer with
G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS, and doesn't set a
GDBusAuthObserver, which allows anyone who can connect to its AF_UNIX
socket to authenticate and be authorized to send method calls.]
Ubuntu-Description
Simon McVittie discovered that ibus did not enforce appropriate access
controls on its private D-Bus socket. A local unprivileged user who
discovers the ibus socket address of another user could exploit this to
capture the key strokes of the other user.
Assigned-to
amurray
Notes
amurrayThe ibus D-Bus socket address contains a long random guid making
discovery of this address by another user unlikely.
mdeslaurthis was reverted in 4134-2 because of a regression, see LP bug
Package
Source: ibus (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):needed
Patches:
Upstream:https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151
More Information

Updated: 2019-10-18 02:45:23 UTC (commit cccfc4426d8c1fbf582a89d981fe7fc812124543)