CVE-2019-14822

NameCVE-2019-14822
DescriptionA flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4525-1
Debian Bugs940267

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ibus (PTS)buster, buster (security)1.5.19-4+deb10u1fixed
bullseye1.5.23-2fixed
bookworm1.5.27-5fixed
sid, trixie1.5.29-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ibussourcestretch1.5.14-3+deb9u2DSA-4525-1
ibussourcebuster1.5.19-4+deb10u1DSA-4525-1
ibussource(unstable)1.5.21-1940267

Notes

[jessie] - ibus <ignored> (Hard to exploit, regression risk)
https://www.openwall.com/lists/oss-security/2019/09/13/1
Fixed by: https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151
The original fix introduces regression with Qt applications (the fix uncovered an
interoperability bug between GLib's implementation of D-Bus and the reference implementation
libdbus):
https://bugs.debian.org/941018
https://launchpad.net/bugs/1844853
https://github.com/ibus/ibus/issues/2137

Search for package or bug name: Reporting problems