CVE-2013-4509

NameCVE-2013-4509
DescriptionThe default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlier, when IBus.InputPurpose.PASSWORD is not set and used with GNOME 3, does not obscure the entered password characters, which allows physically proximate attackers to obtain a user password by reading the lockscreen.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs729065, 730781

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ibus-anthy (PTS)buster1.5.10-2fixed
bullseye1.5.12-2fixed
bookworm1.5.14-1fixed
sid1.5.15-1fixed
ibus-chewing (PTS)buster, bullseye1.6.1-1fixed
bookworm1.6.1-2fixed
sid, trixie2.0.0-1fixed
ibus-pinyin (PTS)buster1.5.0-5fixed
bullseye1.5.0-6.1fixed
bookworm1.5.0-10fixed
sid, trixie1.5.0-11fixed
mozc (PTS)buster2.23.2815.102+dfsg-4fixed
bullseye2.26.4220.100+dfsg-4fixed
bookworm, sid, trixie2.28.4715.102+dfsg-2.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ibus-anthysourcesqueeze(not affected)
ibus-anthysourcewheezy(not affected)
ibus-anthysource(unstable)1.5.4-1low729065
ibus-chewingsourcesqueeze(not affected)
ibus-chewingsourcewheezy(not affected)
ibus-chewingsource(unstable)1.4.3-4low730781
ibus-pinyinsourcesqueeze(not affected)
ibus-pinyinsourcewheezy(not affected)
ibus-pinyinsource(unstable)1.5.0-1low729065
mozcsourcewheezy(not affected)
mozcsource(unstable)1.12.1599.102-1low729065

Notes

[wheezy] - mozc <not-affected> (Only in combination with Ibus 1.5.4, which is not in stable)
[wheezy] - ibus-anthy <not-affected> (Only in combination with Ibus 1.5.4, which is not in stable)
[squeeze] - ibus-anthy <not-affected> (Only in combination with Ibus 1.5.4, which is not in oldstable)
[wheezy] - ibus-pinyin <not-affected> (Only in combination with Ibus 1.5.4, which is not in stable)
[squeeze] - ibus-pinyin <not-affected> (Only in combination with Ibus 1.5.4, which is not in oldstable)
[wheezy] - ibus-chewing <not-affected> (Only in combination with Ibus 1.5.4, which is not in stable)
[squeeze] - ibus-chewing <not-affected> (Only in combination with Ibus 1.5.4, which is not in oldstable)
https://www.openwall.com/lists/oss-security/2013/11/04/2
This is rather a bug in the various IBus engines not in ibus itself, asked maintainers to investigate affected engines,
can be assigned to affected engines once more info is available
Introduced in 1.5, so stable/oldstable not affected

Search for package or bug name: Reporting problems