[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2019-14822 ibus: missing authorization flaw
From:       Riccardo Schirone <rschiron () redhat ! com>
Date:       2019-09-13 7:18:08
Message-ID: 20190913071802.GE4936 () fedorawork
[Download RAW message or body]


A security flaw in ibus was reported by Simon McVittie (Collabora Ltd.). It was
discovered that any unprivileged user could monitor and send method calls to the
ibus bus of another user, due to a misconfiguration during the setup of the DBus
server. CVE-2019-14822 has been assigned to this flaw.

When ibus is in use, a local attacker, who discovers the UNIX socket used by
another user connected on a graphical environment, could use this flaw to
intercept all keystrokes of the victim user or modify input related
configurations through DBus method calls.

ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS,
and doesn't set a GDBusAuthObserver, which allows anyone who can connect to its
AF_UNIX socket to authenticate and be authorized to send method calls.

ibus can be manually selected by setting GTK_IM_MODLUE=ibus or it could be
automatically selected by graphical environments like Gnome, when input method
sources (e.g. Korean, Chinese input method sources) are in use. In these
cases, all the key strokes of the victim user are sent to the ibus interface
and they could be intercepted by an attacker.

Upstream fix:
https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151

Thanks,
-- 
Riccardo Schirone
Red Hat -- Product Security
Email: rschiron@redhat.com
PGP-Key ID: CF96E110

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]