CVE-2013-4509

NameCVE-2013-4509
DescriptionThe default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlier, when IBus.InputPurpose.PASSWORD is not set and used with GNOME 3, does not obscure the entered password characters, which allows physically proximate attackers to obtain a user password by reading the lockscreen.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow (attack range: local)
Debian Bugs729065, 730781

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ibus-anthy (PTS)jessie1.5.6-1fixed
stretch1.5.9-2fixed
buster1.5.10-2fixed
bullseye, sid1.5.11-1fixed
ibus-chewing (PTS)jessie1.4.10.1-2fixed
stretch1.5.1-1fixed
buster, bullseye, sid1.6.1-1fixed
ibus-pinyin (PTS)jessie1.5.0-3fixed
stretch1.5.0-4fixed
buster, bullseye, sid1.5.0-5fixed
mozc (PTS)jessie1.15.1857.102-1fixed
stretch2.19.2623.102+dfsg-1fixed
buster2.23.2815.102+dfsg-4fixed
bullseye, sid2.23.2815.102+dfsg-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ibus-anthysource(unstable)1.5.4-1low729065
ibus-anthysourcesqueeze(not affected)
ibus-anthysourcewheezy(not affected)
ibus-chewingsource(unstable)1.4.3-4low730781
ibus-chewingsourcesqueeze(not affected)
ibus-chewingsourcewheezy(not affected)
ibus-pinyinsource(unstable)1.5.0-1low729065
ibus-pinyinsourcesqueeze(not affected)
ibus-pinyinsourcewheezy(not affected)
mozcsource(unstable)1.12.1599.102-1low729065
mozcsourcewheezy(not affected)

Notes

[wheezy] - mozc <not-affected> (Only in combination with Ibus 1.5.4, which is not in stable)
[wheezy] - ibus-anthy <not-affected> (Only in combination with Ibus 1.5.4, which is not in stable)
[squeeze] - ibus-anthy <not-affected> (Only in combination with Ibus 1.5.4, which is not in oldstable)
[wheezy] - ibus-pinyin <not-affected> (Only in combination with Ibus 1.5.4, which is not in stable)
[squeeze] - ibus-pinyin <not-affected> (Only in combination with Ibus 1.5.4, which is not in oldstable)
[wheezy] - ibus-chewing <not-affected> (Only in combination with Ibus 1.5.4, which is not in stable)
[squeeze] - ibus-chewing <not-affected> (Only in combination with Ibus 1.5.4, which is not in oldstable)
http://www.openwall.com/lists/oss-security/2013/11/04/2
This is rather a bug in the various IBus engines not in ibus itself, asked maintainers to investigate affected engines,
can be assigned to affected engines once more info is available
Introduced in 1.5, so stable/oldstable not affected

Search for package or bug name: Reporting problems