DescriptionA flaw was discovered in ibus that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow
Debian Bugs940267

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ibus (PTS)stretch (security), stretch1.5.14-3+deb9u2fixed
buster, buster (security)1.5.19-4+deb10u1fixed
bullseye, sid1.5.22-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[jessie] - ibus <ignored> (Hard to exploit, regression risk)
Fixed by:
The original fix introduces regression with Qt applications (the fix uncovered an
interoperability bug between GLib's implementation of D-Bus and the reference implementation

Search for package or bug name: Reporting problems