Bug#940267: marked as done (ibus: CVE-2019-14822)

To: Changwoo Ryu <cwryu@debian.org>
Subject: Bug#940267: marked as done (ibus: CVE-2019-14822)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 18 Sep 2019 15:21:05 +0000
Message-id: <[🔎] handler.940267.D940267.15688199803204.ackdone@bugs.debian.org>
Reply-to: 940267@bugs.debian.org
References: <E1iAbk1-0003QE-G2@fasolo.debian.org> <[🔎] 156849226190.4243.6623392095938797675.reportbug@eldamar.local>

Your message dated Wed, 18 Sep 2019 15:19:37 +0000
with message-id <E1iAbk1-0003QE-G2@fasolo.debian.org>
and subject line Bug#940267: fixed in ibus 1.5.21-1
has caused the Debian Bug report #940267,
regarding ibus: CVE-2019-14822
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
940267: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940267
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ibus: CVE-2019-14822
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 14 Sep 2019 22:17:41 +0200
Message-id: <[🔎] 156849226190.4243.6623392095938797675.reportbug@eldamar.local>

Source: ibus
Version: 1.5.19-4
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 1.5.14-3+deb9u1
Control: found -1 1.5.14-3
Control: fixed -1 1.5.14-3+deb9u2
Control: fixed -1 1.5.19-4+deb10u1

Hi,

The following vulnerability was published for ibus.

CVE-2019-14822[0]:
missing authorization flaw

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-14822
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14822
[1] https://www.openwall.com/lists/oss-security/2019/09/13/1
[2] https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151

We plan to release an update for ibus with the attached debdiffs, but
some further verification is pending needed.

Regards,
Salvatore

diff -Nru ibus-1.5.14/debian/changelog ibus-1.5.14/debian/changelog
--- ibus-1.5.14/debian/changelog	2018-09-18 20:14:51.000000000 +0200
+++ ibus-1.5.14/debian/changelog	2019-09-11 23:13:56.000000000 +0200
@@ -1,3 +1,10 @@
+ibus (1.5.14-3+deb9u2) stretch-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * bus: Implement GDBusAuthObserver callback (CVE-2019-14822)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 11 Sep 2019 23:13:56 +0200
+
 ibus (1.5.14-3+deb9u1) stretch; urgency=medium
 
   * Non-maintainer upload.
diff -Nru ibus-1.5.14/debian/patches/CVE-2019-14822.patch ibus-1.5.14/debian/patches/CVE-2019-14822.patch
--- ibus-1.5.14/debian/patches/CVE-2019-14822.patch	1970-01-01 01:00:00.000000000 +0100
+++ ibus-1.5.14/debian/patches/CVE-2019-14822.patch	2019-09-11 23:13:07.000000000 +0200
@@ -0,0 +1,134 @@
+From 7aa556c043fbda5c3b499cf7ec1bb0e3b30e1b65 Mon Sep 17 00:00:00 2001
+From: fujiwarat <takao.fujiwara1@gmail.com>
+Date: Tue, 03 Sep 2019 19:06:52 +0900
+Subject: [PATCH] bus: Implement GDBusAuthObserver callback
+
+ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS,
+and doesn't set a GDBusAuthObserver, which allows anyone who can connect
+to its AF_UNIX socket to authenticate and be authorized to send method calls.
+It also seems to use an abstract AF_UNIX socket, which does not have
+filesystem permissions, so the practical effect might be that a local
+attacker can connect to another user's ibus service and make arbitrary
+method calls.
+
+BUGS=rhbz#1717958
+[Salvatore Bonaccorso: Backport to 1.5.19
+ - Adjust for context changes
+ - Drop update to copyright statements
+]
+[Salvatore Bonaccorso: Backport to 1.5.14
+ - Adjust for context changes
+ - Drop huncks marking user_data with G_GNUC_UNUSED for
+   _server_connect_start_portal_cb and bus_acquired_handler as not
+   present in 1.5.14.
+]
+---
+
+--- a/bus/server.c
++++ b/bus/server.c
+@@ -70,16 +70,63 @@ _restart_server (void)
+ }
+ 
+ /**
++ * bus_allow_mechanism_cb:
++ * @observer: A #GDBusAuthObserver.
++ * @mechanism: The name of the mechanism.
++ * @user_data: always %NULL.
++ *
++ * Check if @mechanism can be used to authenticate the other peer.
++ * Returns: %TRUE if the peer's mechanism is allowed.
++ */
++static gboolean
++bus_allow_mechanism_cb (GDBusAuthObserver     *observer,
++                        const gchar           *mechanism,
++                        G_GNUC_UNUSED gpointer user_data)
++{
++    if (g_strcmp0 (mechanism, "EXTERNAL") == 0)
++        return TRUE;
++    return FALSE;
++}
++
++/**
++ * bus_authorize_authenticated_peer_cb:
++ * @observer: A #GDBusAuthObserver.
++ * @stream: A #GIOStream.
++ * @credentials: A #GCredentials.
++ * @user_data: always %NULL.
++ *
++ * Check if a peer who has already authenticated should be authorized.
++ * Returns: %TRUE if the peer's credential is authorized.
++ */
++static gboolean
++bus_authorize_authenticated_peer_cb (GDBusAuthObserver     *observer,
++                                     GIOStream             *stream,
++                                     GCredentials          *credentials,
++                                     G_GNUC_UNUSED gpointer user_data)
++{
++    gboolean authorized = FALSE;
++    if (credentials) {
++        GCredentials *own_credentials = g_credentials_new ();
++        if (g_credentials_is_same_user (credentials, own_credentials, NULL))
++            authorized = TRUE;
++        g_object_unref (own_credentials);
++    }
++    return authorized;
++}
++
++/**
+  * bus_new_connection_cb:
+- * @user_data: always NULL.
+- * @returns: TRUE when the function can handle the connection.
++ * @observer: A #GDBusAuthObserver.
++ * @dbus_connection: A #GDBusconnection.
++ * @user_data: always %NULL.
+  *
+  * Handle incoming connections.
++ * Returns: %TRUE when the function can handle the connection.
+  */
+ static gboolean
+-bus_new_connection_cb (GDBusServer     *server,
+-                       GDBusConnection *dbus_connection,
+-                       gpointer         user_data)
++bus_new_connection_cb (GDBusServer           *server,
++                       GDBusConnection       *dbus_connection,
++                       G_GNUC_UNUSED gpointer user_data)
+ {
+     BusConnection *connection = bus_connection_new (dbus_connection);
+     bus_dbus_impl_new_connection (dbus, connection);
+@@ -96,22 +143,32 @@ bus_new_connection_cb (GDBusServer     *
+ void
+ bus_server_init (void)
+ {
++    GDBusServerFlags flags = G_DBUS_SERVER_FLAGS_NONE;
++    gchar *guid;
++    GDBusAuthObserver *observer;
++
+     dbus = bus_dbus_impl_get_default ();
+     ibus = bus_ibus_impl_get_default ();
+     bus_dbus_impl_register_object (dbus, (IBusService *)ibus);
+ 
+     /* init server */
+-    GDBusServerFlags flags = G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS;
+-    gchar *guid = g_dbus_generate_guid ();
++    guid = g_dbus_generate_guid ();
++    observer = g_dbus_auth_observer_new ();
+     server =  g_dbus_server_new_sync (
+                     g_address, /* the place where the socket file lives, e.g. /tmp, abstract namespace, etc. */
+                     flags, guid,
+-                    NULL /* observer */,
++                    observer,
+                     NULL /* cancellable */,
+                     NULL /* error */);
+     g_free (guid);
+ 
+-    g_signal_connect (server, "new-connection", G_CALLBACK (bus_new_connection_cb), NULL);
++    g_signal_connect (observer, "allow-mechanism",
++                      G_CALLBACK (bus_allow_mechanism_cb), NULL);
++    g_signal_connect (observer, "authorize-authenticated-peer",
++                      G_CALLBACK (bus_authorize_authenticated_peer_cb), NULL);
++    g_object_unref (observer);
++    g_signal_connect (server, "new-connection",
++                      G_CALLBACK (bus_new_connection_cb), NULL);
+ 
+     g_dbus_server_start (server);
+ 
diff -Nru ibus-1.5.14/debian/patches/series ibus-1.5.14/debian/patches/series
--- ibus-1.5.14/debian/patches/series	2016-12-10 01:32:32.000000000 +0100
+++ ibus-1.5.14/debian/patches/series	2019-09-11 07:25:37.000000000 +0200
@@ -13,3 +13,4 @@
 #ibus-530711-preload-sys.patch
 ## FC patch4: Hide minor input method engines on ibus-setup by locale
 ibus-xx-setup-frequent-lang.patch
+CVE-2019-14822.patch

diff -Nru ibus-1.5.19/debian/changelog ibus-1.5.19/debian/changelog
--- ibus-1.5.19/debian/changelog	2019-02-17 07:19:20.000000000 +0100
+++ ibus-1.5.19/debian/changelog	2019-09-10 23:27:18.000000000 +0200
@@ -1,3 +1,10 @@
+ibus (1.5.19-4+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * bus: Implement GDBusAuthObserver callback (CVE-2019-14822)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 10 Sep 2019 23:27:18 +0200
+
 ibus (1.5.19-4) unstable; urgency=medium
 
   [ Simon McVittie ]
diff -Nru ibus-1.5.19/debian/patches/CVE-2019-14822.patch ibus-1.5.19/debian/patches/CVE-2019-14822.patch
--- ibus-1.5.19/debian/patches/CVE-2019-14822.patch	1970-01-01 01:00:00.000000000 +0100
+++ ibus-1.5.19/debian/patches/CVE-2019-14822.patch	2019-09-10 23:26:35.000000000 +0200
@@ -0,0 +1,161 @@
+From 7aa556c043fbda5c3b499cf7ec1bb0e3b30e1b65 Mon Sep 17 00:00:00 2001
+From: fujiwarat <takao.fujiwara1@gmail.com>
+Date: Tue, 03 Sep 2019 19:06:52 +0900
+Subject: [PATCH] bus: Implement GDBusAuthObserver callback
+
+ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS,
+and doesn't set a GDBusAuthObserver, which allows anyone who can connect
+to its AF_UNIX socket to authenticate and be authorized to send method calls.
+It also seems to use an abstract AF_UNIX socket, which does not have
+filesystem permissions, so the practical effect might be that a local
+attacker can connect to another user's ibus service and make arbitrary
+method calls.
+
+BUGS=rhbz#1717958
+[Salvatore Bonaccorso: Backport to 1.5.19
+ - Adjust for context changes
+ - Drop update to copyright statements
+]
+---
+
+--- a/bus/server.c
++++ b/bus/server.c
+@@ -70,16 +71,63 @@ _restart_server (void)
+ }
+ 
+ /**
++ * bus_allow_mechanism_cb:
++ * @observer: A #GDBusAuthObserver.
++ * @mechanism: The name of the mechanism.
++ * @user_data: always %NULL.
++ *
++ * Check if @mechanism can be used to authenticate the other peer.
++ * Returns: %TRUE if the peer's mechanism is allowed.
++ */
++static gboolean
++bus_allow_mechanism_cb (GDBusAuthObserver     *observer,
++                        const gchar           *mechanism,
++                        G_GNUC_UNUSED gpointer user_data)
++{
++    if (g_strcmp0 (mechanism, "EXTERNAL") == 0)
++        return TRUE;
++    return FALSE;
++}
++
++/**
++ * bus_authorize_authenticated_peer_cb:
++ * @observer: A #GDBusAuthObserver.
++ * @stream: A #GIOStream.
++ * @credentials: A #GCredentials.
++ * @user_data: always %NULL.
++ *
++ * Check if a peer who has already authenticated should be authorized.
++ * Returns: %TRUE if the peer's credential is authorized.
++ */
++static gboolean
++bus_authorize_authenticated_peer_cb (GDBusAuthObserver     *observer,
++                                     GIOStream             *stream,
++                                     GCredentials          *credentials,
++                                     G_GNUC_UNUSED gpointer user_data)
++{
++    gboolean authorized = FALSE;
++    if (credentials) {
++        GCredentials *own_credentials = g_credentials_new ();
++        if (g_credentials_is_same_user (credentials, own_credentials, NULL))
++            authorized = TRUE;
++        g_object_unref (own_credentials);
++    }
++    return authorized;
++}
++
++/**
+  * bus_new_connection_cb:
+- * @user_data: always NULL.
+- * @returns: TRUE when the function can handle the connection.
++ * @observer: A #GDBusAuthObserver.
++ * @dbus_connection: A #GDBusconnection.
++ * @user_data: always %NULL.
+  *
+  * Handle incoming connections.
++ * Returns: %TRUE when the function can handle the connection.
+  */
+ static gboolean
+-bus_new_connection_cb (GDBusServer     *server,
+-                       GDBusConnection *dbus_connection,
+-                       gpointer         user_data)
++bus_new_connection_cb (GDBusServer           *server,
++                       GDBusConnection       *dbus_connection,
++                       G_GNUC_UNUSED gpointer user_data)
+ {
+     BusConnection *connection = bus_connection_new (dbus_connection);
+     bus_dbus_impl_new_connection (dbus, connection);
+@@ -94,9 +142,9 @@ bus_new_connection_cb (GDBusServer     *
+ }
+ 
+ static void
+-_server_connect_start_portal_cb (GObject      *source_object,
+-                                 GAsyncResult *res,
+-                                 gpointer      user_data)
++_server_connect_start_portal_cb (GObject               *source_object,
++                                 GAsyncResult          *res,
++                                 G_GNUC_UNUSED gpointer user_data)
+ {
+     GVariant *result;
+     GError *error = NULL;
+@@ -113,9 +161,9 @@ _server_connect_start_portal_cb (GObject
+ }
+ 
+ static void
+-bus_acquired_handler (GDBusConnection *connection,
+-                      const gchar     *name,
+-                      gpointer         user_data)
++bus_acquired_handler (GDBusConnection       *connection,
++                      const gchar           *name,
++                      G_GNUC_UNUSED gpointer user_data)
+ {
+     g_dbus_connection_call (connection,
+                             IBUS_SERVICE_PORTAL,
+@@ -136,14 +184,17 @@ void
+ bus_server_init (void)
+ {
+     GError *error = NULL;
++    GDBusServerFlags flags = G_DBUS_SERVER_FLAGS_NONE;
++    gchar *guid;
++    GDBusAuthObserver *observer;
+ 
+     dbus = bus_dbus_impl_get_default ();
+     ibus = bus_ibus_impl_get_default ();
+     bus_dbus_impl_register_object (dbus, (IBusService *)ibus);
+ 
+     /* init server */
+-    GDBusServerFlags flags = G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS;
+-    gchar *guid = g_dbus_generate_guid ();
++    guid = g_dbus_generate_guid ();
++    observer = g_dbus_auth_observer_new ();
+     if (!g_str_has_prefix (g_address, "unix:tmpdir=")) {
+         g_error ("Your socket address does not have the format unix:tmpdir=$DIR; %s",
+                  g_address);
+@@ -151,7 +202,7 @@ bus_server_init (void)
+     server =  g_dbus_server_new_sync (
+                     g_address, /* the place where the socket file lives, e.g. /tmp, abstract namespace, etc. */
+                     flags, guid,
+-                    NULL /* observer */,
++                    observer,
+                     NULL /* cancellable */,
+                     &error);
+     if (server == NULL) {
+@@ -161,7 +212,13 @@ bus_server_init (void)
+     }
+     g_free (guid);
+ 
+-    g_signal_connect (server, "new-connection", G_CALLBACK (bus_new_connection_cb), NULL);
++    g_signal_connect (observer, "allow-mechanism",
++                      G_CALLBACK (bus_allow_mechanism_cb), NULL);
++    g_signal_connect (observer, "authorize-authenticated-peer",
++                      G_CALLBACK (bus_authorize_authenticated_peer_cb), NULL);
++    g_object_unref (observer);
++    g_signal_connect (server, "new-connection",
++                      G_CALLBACK (bus_new_connection_cb), NULL);
+ 
+     g_dbus_server_start (server);
+ 
diff -Nru ibus-1.5.19/debian/patches/series ibus-1.5.19/debian/patches/series
--- ibus-1.5.19/debian/patches/series	2019-02-17 07:13:18.000000000 +0100
+++ ibus-1.5.19/debian/patches/series	2019-09-10 23:22:14.000000000 +0200
@@ -2,3 +2,4 @@
 dconf-Use-dbus-run-session-to-set-up-dconf-overrides.patch
 dconf-Create-a-temporary-XDG_RUNTIME_DIR.patch
 wayland.patch
+CVE-2019-14822.patch

--- End Message ---

--- Begin Message ---

To: 940267-close@bugs.debian.org
Subject: Bug#940267: fixed in ibus 1.5.21-1
From: Changwoo Ryu <cwryu@debian.org>
Date: Wed, 18 Sep 2019 15:19:37 +0000
Message-id: <E1iAbk1-0003QE-G2@fasolo.debian.org>

Source: ibus
Source-Version: 1.5.21-1

We believe that the bug you reported is fixed in the latest version of
ibus, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 940267@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Changwoo Ryu <cwryu@debian.org> (supplier of updated ibus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 18 Sep 2019 23:52:06 +0900
Source: ibus
Architecture: source
Version: 1.5.21-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Input Method Team <debian-input-method@lists.debian.org>
Changed-By: Changwoo Ryu <cwryu@debian.org>
Closes: 940267
Changes:
 ibus (1.5.21-1) unstable; urgency=medium
 .
   [ Changwoo Ryu ]
   * Upload to unstable
   * Apply upstream commit to fix CVE-2019-14822 (Closes: #940267)
   * d/rules: Add XDG_RUNTIME_DIR settings on build
     - Based on d/rules of the glib2.0 package
     - possibly to fix the test failures in non-linux arch builds
   * d/control: Remove unnecessary Build-Depends: gnome-common,
     libnotify-dev
Checksums-Sha1:
 f1678cad3bd33b7ef13c497a16c251dbc14d6647 2895 ibus_1.5.21-1.dsc
 78606bcac7c6ca59e4dbe480dcfc3619aa108636 24584 ibus_1.5.21-1.debian.tar.xz
 f30bd3d1f8d7122ad4a804bdadb2b54e7f16c14e 16729 ibus_1.5.21-1_source.buildinfo
Checksums-Sha256:
 e7c2c08566d0d06e60b87a0d233890d1168be3196c63dbc0fcf36ec9f49d02c0 2895 ibus_1.5.21-1.dsc
 2edb084e003cabf8b3f0f595b0b3525ffdada99b86adce4851cba784e927f7e4 24584 ibus_1.5.21-1.debian.tar.xz
 540f5265194b4cb7cf88a03c38144981be93046af3a162dc65409285a3735b80 16729 ibus_1.5.21-1_source.buildinfo
Files:
 2fb0eff0de80f0b03393d32ad7c60ea5 2895 utils optional ibus_1.5.21-1.dsc
 b242822806b6f2b6d188652292fbfda2 24584 utils optional ibus_1.5.21-1.debian.tar.xz
 d43e9fe28dd343a6ecf21483a58471c3 16729 utils optional ibus_1.5.21-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEony+ujUlaGU4DgzJ7Bh50HbYq0gFAl2CRiAACgkQ7Bh50HbY
q0hjrA/9F12MMGEtFofgO5KvPxR4YFCRnxEF/cYO4fu8cUsH/ahKyNUz1ThF328L
y4QnpzCgBlkwWXMWACDm6sztC436ebocSRsc8M2F7zAC5JBl+rcE5Vbgh1KKl4as
xvOZNDdQruV/qeW5ydMDHuS3sqpPZUIV0CKQHGxzeimvsnsLiUja3DuhkQloh5vU
YWukiZyn5DO/jBNtfOT2G87Ee1wpljveIT4Zw95HRZZlrUE6FANrh7/aiBjBYyCV
f8g/lzrsUM+RepnrmFZaLiUMN9B+aFTdjCmqyZecmZ23rQsyIE181lVbPiQKWeMQ
UJfHx0XvJ2ZztLVtX0rZk6rUGRELfI2sz7XlWuaax4qjcomOPMdnDVQKKT47mH0g
uvQZIM5ObYf+EzdIE+Mu7XBsQR/JJ3GGaSuLVbUB+9ujo9eCJfbwCXqqbYk5mzUT
JK7gLzWyCQ1/04raWC/Xr00S3yOOXOCNUiGR/HldzIJvzSzzX+6MbcXKwr4K1TDT
qIm7SNLNztQcXjblEA6x2tmste0mxYcQnceP+julpSi+wXnivE8NCPLjStKDkQG+
MAmatDOkumtLN44Zqwc6/abYQX3o7uWIKBhezTB3ZntHvyR6FIy4xBE71vJa07S5
TZBVXHJLAOLGkY2ZOglw8jGOC64s5z0tPQbpi8aRb9mbmC5k5hQ=
=RbaK
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#940267: ibus: CVE-2019-14822
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#940634: marked as done (ibus: FTBFS: emojier.vala:915.48-915.53: error: Assignment: Cannot convert from `GLib.SList<string>' to `GLib.SList<weak string>?')
Next by Date: Processing of ibus_1.5.21-1_source.changes
Previous by thread: Processed: ibus: CVE-2019-14822
Next by thread: Bug#940594: Tests fail when applying new upstream commit
Index(es):
- Date
- Thread