oss-sec mailing list archives
CVE-2019-14822 ibus: missing authorization flaw
From: Riccardo Schirone <rschiron () redhat com>
Date: Fri, 13 Sep 2019 09:18:08 +0200
A security flaw in ibus was reported by Simon McVittie (Collabora Ltd.). It was discovered that any unprivileged user could monitor and send method calls to the ibus bus of another user, due to a misconfiguration during the setup of the DBus server. CVE-2019-14822 has been assigned to this flaw. When ibus is in use, a local attacker, who discovers the UNIX socket used by another user connected on a graphical environment, could use this flaw to intercept all keystrokes of the victim user or modify input related configurations through DBus method calls. ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS, and doesn't set a GDBusAuthObserver, which allows anyone who can connect to its AF_UNIX socket to authenticate and be authorized to send method calls. ibus can be manually selected by setting GTK_IM_MODLUE=ibus or it could be automatically selected by graphical environments like Gnome, when input method sources (e.g. Korean, Chinese input method sources) are in use. In these cases, all the key strokes of the victim user are sent to the ibus interface and they could be intercepted by an attacker. Upstream fix: https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151 Thanks, -- Riccardo Schirone Red Hat -- Product Security Email: rschiron () redhat com PGP-Key ID: CF96E110
Attachment:
signature.asc
Description:
Current thread:
- CVE-2019-14822 ibus: missing authorization flaw Riccardo Schirone (Sep 13)