CVE-2019-14822

NameCVE-2019-14822
DescriptionA flaw was discovered in ibus that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4525-1
NVD severitylow
Debian Bugs940267

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ibus (PTS)stretch (security), stretch1.5.14-3+deb9u2fixed
buster, buster (security)1.5.19-4+deb10u1fixed
bullseye, sid1.5.22-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ibussource(unstable)1.5.21-1940267
ibussourcebuster1.5.19-4+deb10u1DSA-4525-1
ibussourcestretch1.5.14-3+deb9u2DSA-4525-1

Notes

[jessie] - ibus <ignored> (Hard to exploit, regression risk)
https://www.openwall.com/lists/oss-security/2019/09/13/1
Fixed by: https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151
The original fix introduces regression with Qt applications (the fix uncovered an
interoperability bug between GLib's implementation of D-Bus and the reference implementation
libdbus):
https://bugs.debian.org/941018
https://launchpad.net/bugs/1844853
https://github.com/ibus/ibus/issues/2137

Search for package or bug name: Reporting problems