Date: Fri, 13 Sep 2019 09:18:08 +0200 From: Riccardo Schirone <rschiron@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2019-14822 ibus: missing authorization flaw A security flaw in ibus was reported by Simon McVittie (Collabora Ltd.). It was discovered that any unprivileged user could monitor and send method calls to the ibus bus of another user, due to a misconfiguration during the setup of the DBus server. CVE-2019-14822 has been assigned to this flaw. When ibus is in use, a local attacker, who discovers the UNIX socket used by another user connected on a graphical environment, could use this flaw to intercept all keystrokes of the victim user or modify input related configurations through DBus method calls. ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS, and doesn't set a GDBusAuthObserver, which allows anyone who can connect to its AF_UNIX socket to authenticate and be authorized to send method calls. ibus can be manually selected by setting GTK_IM_MODLUE=ibus or it could be automatically selected by graphical environments like Gnome, when input method sources (e.g. Korean, Chinese input method sources) are in use. In these cases, all the key strokes of the victim user are sent to the ibus interface and they could be intercepted by an attacker. Upstream fix: https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151 Thanks, -- Riccardo Schirone Red Hat -- Product Security Email: rschiron@...hat.com PGP-Key ID: CF96E110 Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.