Bug#940267: ibus: CVE-2019-14822
Source: ibus
Version: 1.5.19-4
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 1.5.14-3+deb9u1
Control: found -1 1.5.14-3
Control: fixed -1 1.5.14-3+deb9u2
Control: fixed -1 1.5.19-4+deb10u1
Hi,
The following vulnerability was published for ibus.
CVE-2019-14822[0]:
missing authorization flaw
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-14822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14822
[1] https://www.openwall.com/lists/oss-security/2019/09/13/1
[2] https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151
We plan to release an update for ibus with the attached debdiffs, but
some further verification is pending needed.
Regards,
Salvatore
diff -Nru ibus-1.5.14/debian/changelog ibus-1.5.14/debian/changelog
--- ibus-1.5.14/debian/changelog 2018-09-18 20:14:51.000000000 +0200
+++ ibus-1.5.14/debian/changelog 2019-09-11 23:13:56.000000000 +0200
@@ -1,3 +1,10 @@
+ibus (1.5.14-3+deb9u2) stretch-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * bus: Implement GDBusAuthObserver callback (CVE-2019-14822)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 11 Sep 2019 23:13:56 +0200
+
ibus (1.5.14-3+deb9u1) stretch; urgency=medium
* Non-maintainer upload.
diff -Nru ibus-1.5.14/debian/patches/CVE-2019-14822.patch ibus-1.5.14/debian/patches/CVE-2019-14822.patch
--- ibus-1.5.14/debian/patches/CVE-2019-14822.patch 1970-01-01 01:00:00.000000000 +0100
+++ ibus-1.5.14/debian/patches/CVE-2019-14822.patch 2019-09-11 23:13:07.000000000 +0200
@@ -0,0 +1,134 @@
+From 7aa556c043fbda5c3b499cf7ec1bb0e3b30e1b65 Mon Sep 17 00:00:00 2001
+From: fujiwarat <takao.fujiwara1@gmail.com>
+Date: Tue, 03 Sep 2019 19:06:52 +0900
+Subject: [PATCH] bus: Implement GDBusAuthObserver callback
+
+ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS,
+and doesn't set a GDBusAuthObserver, which allows anyone who can connect
+to its AF_UNIX socket to authenticate and be authorized to send method calls.
+It also seems to use an abstract AF_UNIX socket, which does not have
+filesystem permissions, so the practical effect might be that a local
+attacker can connect to another user's ibus service and make arbitrary
+method calls.
+
+BUGS=rhbz#1717958
+[Salvatore Bonaccorso: Backport to 1.5.19
+ - Adjust for context changes
+ - Drop update to copyright statements
+]
+[Salvatore Bonaccorso: Backport to 1.5.14
+ - Adjust for context changes
+ - Drop huncks marking user_data with G_GNUC_UNUSED for
+ _server_connect_start_portal_cb and bus_acquired_handler as not
+ present in 1.5.14.
+]
+---
+
+--- a/bus/server.c
++++ b/bus/server.c
+@@ -70,16 +70,63 @@ _restart_server (void)
+ }
+
+ /**
++ * bus_allow_mechanism_cb:
++ * @observer: A #GDBusAuthObserver.
++ * @mechanism: The name of the mechanism.
++ * @user_data: always %NULL.
++ *
++ * Check if @mechanism can be used to authenticate the other peer.
++ * Returns: %TRUE if the peer's mechanism is allowed.
++ */
++static gboolean
++bus_allow_mechanism_cb (GDBusAuthObserver *observer,
++ const gchar *mechanism,
++ G_GNUC_UNUSED gpointer user_data)
++{
++ if (g_strcmp0 (mechanism, "EXTERNAL") == 0)
++ return TRUE;
++ return FALSE;
++}
++
++/**
++ * bus_authorize_authenticated_peer_cb:
++ * @observer: A #GDBusAuthObserver.
++ * @stream: A #GIOStream.
++ * @credentials: A #GCredentials.
++ * @user_data: always %NULL.
++ *
++ * Check if a peer who has already authenticated should be authorized.
++ * Returns: %TRUE if the peer's credential is authorized.
++ */
++static gboolean
++bus_authorize_authenticated_peer_cb (GDBusAuthObserver *observer,
++ GIOStream *stream,
++ GCredentials *credentials,
++ G_GNUC_UNUSED gpointer user_data)
++{
++ gboolean authorized = FALSE;
++ if (credentials) {
++ GCredentials *own_credentials = g_credentials_new ();
++ if (g_credentials_is_same_user (credentials, own_credentials, NULL))
++ authorized = TRUE;
++ g_object_unref (own_credentials);
++ }
++ return authorized;
++}
++
++/**
+ * bus_new_connection_cb:
+- * @user_data: always NULL.
+- * @returns: TRUE when the function can handle the connection.
++ * @observer: A #GDBusAuthObserver.
++ * @dbus_connection: A #GDBusconnection.
++ * @user_data: always %NULL.
+ *
+ * Handle incoming connections.
++ * Returns: %TRUE when the function can handle the connection.
+ */
+ static gboolean
+-bus_new_connection_cb (GDBusServer *server,
+- GDBusConnection *dbus_connection,
+- gpointer user_data)
++bus_new_connection_cb (GDBusServer *server,
++ GDBusConnection *dbus_connection,
++ G_GNUC_UNUSED gpointer user_data)
+ {
+ BusConnection *connection = bus_connection_new (dbus_connection);
+ bus_dbus_impl_new_connection (dbus, connection);
+@@ -96,22 +143,32 @@ bus_new_connection_cb (GDBusServer *
+ void
+ bus_server_init (void)
+ {
++ GDBusServerFlags flags = G_DBUS_SERVER_FLAGS_NONE;
++ gchar *guid;
++ GDBusAuthObserver *observer;
++
+ dbus = bus_dbus_impl_get_default ();
+ ibus = bus_ibus_impl_get_default ();
+ bus_dbus_impl_register_object (dbus, (IBusService *)ibus);
+
+ /* init server */
+- GDBusServerFlags flags = G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS;
+- gchar *guid = g_dbus_generate_guid ();
++ guid = g_dbus_generate_guid ();
++ observer = g_dbus_auth_observer_new ();
+ server = g_dbus_server_new_sync (
+ g_address, /* the place where the socket file lives, e.g. /tmp, abstract namespace, etc. */
+ flags, guid,
+- NULL /* observer */,
++ observer,
+ NULL /* cancellable */,
+ NULL /* error */);
+ g_free (guid);
+
+- g_signal_connect (server, "new-connection", G_CALLBACK (bus_new_connection_cb), NULL);
++ g_signal_connect (observer, "allow-mechanism",
++ G_CALLBACK (bus_allow_mechanism_cb), NULL);
++ g_signal_connect (observer, "authorize-authenticated-peer",
++ G_CALLBACK (bus_authorize_authenticated_peer_cb), NULL);
++ g_object_unref (observer);
++ g_signal_connect (server, "new-connection",
++ G_CALLBACK (bus_new_connection_cb), NULL);
+
+ g_dbus_server_start (server);
+
diff -Nru ibus-1.5.14/debian/patches/series ibus-1.5.14/debian/patches/series
--- ibus-1.5.14/debian/patches/series 2016-12-10 01:32:32.000000000 +0100
+++ ibus-1.5.14/debian/patches/series 2019-09-11 07:25:37.000000000 +0200
@@ -13,3 +13,4 @@
#ibus-530711-preload-sys.patch
## FC patch4: Hide minor input method engines on ibus-setup by locale
ibus-xx-setup-frequent-lang.patch
+CVE-2019-14822.patch
diff -Nru ibus-1.5.19/debian/changelog ibus-1.5.19/debian/changelog
--- ibus-1.5.19/debian/changelog 2019-02-17 07:19:20.000000000 +0100
+++ ibus-1.5.19/debian/changelog 2019-09-10 23:27:18.000000000 +0200
@@ -1,3 +1,10 @@
+ibus (1.5.19-4+deb10u1) buster-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * bus: Implement GDBusAuthObserver callback (CVE-2019-14822)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 10 Sep 2019 23:27:18 +0200
+
ibus (1.5.19-4) unstable; urgency=medium
[ Simon McVittie ]
diff -Nru ibus-1.5.19/debian/patches/CVE-2019-14822.patch ibus-1.5.19/debian/patches/CVE-2019-14822.patch
--- ibus-1.5.19/debian/patches/CVE-2019-14822.patch 1970-01-01 01:00:00.000000000 +0100
+++ ibus-1.5.19/debian/patches/CVE-2019-14822.patch 2019-09-10 23:26:35.000000000 +0200
@@ -0,0 +1,161 @@
+From 7aa556c043fbda5c3b499cf7ec1bb0e3b30e1b65 Mon Sep 17 00:00:00 2001
+From: fujiwarat <takao.fujiwara1@gmail.com>
+Date: Tue, 03 Sep 2019 19:06:52 +0900
+Subject: [PATCH] bus: Implement GDBusAuthObserver callback
+
+ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS,
+and doesn't set a GDBusAuthObserver, which allows anyone who can connect
+to its AF_UNIX socket to authenticate and be authorized to send method calls.
+It also seems to use an abstract AF_UNIX socket, which does not have
+filesystem permissions, so the practical effect might be that a local
+attacker can connect to another user's ibus service and make arbitrary
+method calls.
+
+BUGS=rhbz#1717958
+[Salvatore Bonaccorso: Backport to 1.5.19
+ - Adjust for context changes
+ - Drop update to copyright statements
+]
+---
+
+--- a/bus/server.c
++++ b/bus/server.c
+@@ -70,16 +71,63 @@ _restart_server (void)
+ }
+
+ /**
++ * bus_allow_mechanism_cb:
++ * @observer: A #GDBusAuthObserver.
++ * @mechanism: The name of the mechanism.
++ * @user_data: always %NULL.
++ *
++ * Check if @mechanism can be used to authenticate the other peer.
++ * Returns: %TRUE if the peer's mechanism is allowed.
++ */
++static gboolean
++bus_allow_mechanism_cb (GDBusAuthObserver *observer,
++ const gchar *mechanism,
++ G_GNUC_UNUSED gpointer user_data)
++{
++ if (g_strcmp0 (mechanism, "EXTERNAL") == 0)
++ return TRUE;
++ return FALSE;
++}
++
++/**
++ * bus_authorize_authenticated_peer_cb:
++ * @observer: A #GDBusAuthObserver.
++ * @stream: A #GIOStream.
++ * @credentials: A #GCredentials.
++ * @user_data: always %NULL.
++ *
++ * Check if a peer who has already authenticated should be authorized.
++ * Returns: %TRUE if the peer's credential is authorized.
++ */
++static gboolean
++bus_authorize_authenticated_peer_cb (GDBusAuthObserver *observer,
++ GIOStream *stream,
++ GCredentials *credentials,
++ G_GNUC_UNUSED gpointer user_data)
++{
++ gboolean authorized = FALSE;
++ if (credentials) {
++ GCredentials *own_credentials = g_credentials_new ();
++ if (g_credentials_is_same_user (credentials, own_credentials, NULL))
++ authorized = TRUE;
++ g_object_unref (own_credentials);
++ }
++ return authorized;
++}
++
++/**
+ * bus_new_connection_cb:
+- * @user_data: always NULL.
+- * @returns: TRUE when the function can handle the connection.
++ * @observer: A #GDBusAuthObserver.
++ * @dbus_connection: A #GDBusconnection.
++ * @user_data: always %NULL.
+ *
+ * Handle incoming connections.
++ * Returns: %TRUE when the function can handle the connection.
+ */
+ static gboolean
+-bus_new_connection_cb (GDBusServer *server,
+- GDBusConnection *dbus_connection,
+- gpointer user_data)
++bus_new_connection_cb (GDBusServer *server,
++ GDBusConnection *dbus_connection,
++ G_GNUC_UNUSED gpointer user_data)
+ {
+ BusConnection *connection = bus_connection_new (dbus_connection);
+ bus_dbus_impl_new_connection (dbus, connection);
+@@ -94,9 +142,9 @@ bus_new_connection_cb (GDBusServer *
+ }
+
+ static void
+-_server_connect_start_portal_cb (GObject *source_object,
+- GAsyncResult *res,
+- gpointer user_data)
++_server_connect_start_portal_cb (GObject *source_object,
++ GAsyncResult *res,
++ G_GNUC_UNUSED gpointer user_data)
+ {
+ GVariant *result;
+ GError *error = NULL;
+@@ -113,9 +161,9 @@ _server_connect_start_portal_cb (GObject
+ }
+
+ static void
+-bus_acquired_handler (GDBusConnection *connection,
+- const gchar *name,
+- gpointer user_data)
++bus_acquired_handler (GDBusConnection *connection,
++ const gchar *name,
++ G_GNUC_UNUSED gpointer user_data)
+ {
+ g_dbus_connection_call (connection,
+ IBUS_SERVICE_PORTAL,
+@@ -136,14 +184,17 @@ void
+ bus_server_init (void)
+ {
+ GError *error = NULL;
++ GDBusServerFlags flags = G_DBUS_SERVER_FLAGS_NONE;
++ gchar *guid;
++ GDBusAuthObserver *observer;
+
+ dbus = bus_dbus_impl_get_default ();
+ ibus = bus_ibus_impl_get_default ();
+ bus_dbus_impl_register_object (dbus, (IBusService *)ibus);
+
+ /* init server */
+- GDBusServerFlags flags = G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS;
+- gchar *guid = g_dbus_generate_guid ();
++ guid = g_dbus_generate_guid ();
++ observer = g_dbus_auth_observer_new ();
+ if (!g_str_has_prefix (g_address, "unix:tmpdir=")) {
+ g_error ("Your socket address does not have the format unix:tmpdir=$DIR; %s",
+ g_address);
+@@ -151,7 +202,7 @@ bus_server_init (void)
+ server = g_dbus_server_new_sync (
+ g_address, /* the place where the socket file lives, e.g. /tmp, abstract namespace, etc. */
+ flags, guid,
+- NULL /* observer */,
++ observer,
+ NULL /* cancellable */,
+ &error);
+ if (server == NULL) {
+@@ -161,7 +212,13 @@ bus_server_init (void)
+ }
+ g_free (guid);
+
+- g_signal_connect (server, "new-connection", G_CALLBACK (bus_new_connection_cb), NULL);
++ g_signal_connect (observer, "allow-mechanism",
++ G_CALLBACK (bus_allow_mechanism_cb), NULL);
++ g_signal_connect (observer, "authorize-authenticated-peer",
++ G_CALLBACK (bus_authorize_authenticated_peer_cb), NULL);
++ g_object_unref (observer);
++ g_signal_connect (server, "new-connection",
++ G_CALLBACK (bus_new_connection_cb), NULL);
+
+ g_dbus_server_start (server);
+
diff -Nru ibus-1.5.19/debian/patches/series ibus-1.5.19/debian/patches/series
--- ibus-1.5.19/debian/patches/series 2019-02-17 07:13:18.000000000 +0100
+++ ibus-1.5.19/debian/patches/series 2019-09-10 23:22:14.000000000 +0200
@@ -2,3 +2,4 @@
dconf-Use-dbus-run-session-to-set-up-dconf-overrides.patch
dconf-Create-a-temporary-XDG_RUNTIME_DIR.patch
wayland.patch
+CVE-2019-14822.patch
Reply to: