CVE-2013-4509

Name	CVE-2013-4509
Description	The default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlier, when IBus.InputPurpose.PASSWORD is not set and used with GNOME 3, does not obscure the entered password characters, which allows physically proximate attackers to obtain a user password by reading the lockscreen.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	729065, 730781

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ibus-anthy (PTS)	bullseye	1.5.12-2	fixed
	bookworm	1.5.14-1	fixed
	sid, trixie	1.5.16-1	fixed
ibus-chewing (PTS)	bullseye	1.6.1-1	fixed
	bookworm	1.6.1-2	fixed
	sid, trixie	2.1.2-1	fixed
ibus-pinyin (PTS)	bullseye	1.5.0-6.1	fixed
	bookworm	1.5.0-10	fixed
	sid, trixie	1.5.1-1	fixed
mozc (PTS)	bullseye	2.26.4220.100+dfsg-4	fixed
	bookworm	2.28.4715.102+dfsg-2.2	fixed
	sid, trixie	2.28.4715.102+dfsg-2.3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
ibus-anthy	source	squeeze	(not affected)
ibus-anthy	source	wheezy	(not affected)
ibus-anthy	source	(unstable)	1.5.4-1	low	729065
ibus-chewing	source	squeeze	(not affected)
ibus-chewing	source	wheezy	(not affected)
ibus-chewing	source	(unstable)	1.4.3-4	low	730781
ibus-pinyin	source	squeeze	(not affected)
ibus-pinyin	source	wheezy	(not affected)
ibus-pinyin	source	(unstable)	1.5.0-1	low	729065
mozc	source	wheezy	(not affected)
mozc	source	(unstable)	1.12.1599.102-1	low	729065

Notes

[wheezy] - mozc <not-affected> (Only in combination with Ibus 1.5.4, which is not in stable)
[wheezy] - ibus-anthy <not-affected> (Only in combination with Ibus 1.5.4, which is not in stable)
[squeeze] - ibus-anthy <not-affected> (Only in combination with Ibus 1.5.4, which is not in oldstable)
[wheezy] - ibus-pinyin <not-affected> (Only in combination with Ibus 1.5.4, which is not in stable)
[squeeze] - ibus-pinyin <not-affected> (Only in combination with Ibus 1.5.4, which is not in oldstable)
[wheezy] - ibus-chewing <not-affected> (Only in combination with Ibus 1.5.4, which is not in stable)
[squeeze] - ibus-chewing <not-affected> (Only in combination with Ibus 1.5.4, which is not in oldstable)
https://www.openwall.com/lists/oss-security/2013/11/04/2
This is rather a bug in the various IBus engines not in ibus itself, asked maintainers to investigate affected engines,
can be assigned to affected engines once more info is available
Introduced in 1.5, so stable/oldstable not affected