Package: ibus | Debian Sources

Package: ibus / 1.5.14-3+deb9u2

Metadata

Package	Version	Patches format
ibus	1.5.14-3+deb9u2	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
ibus xx f19 password.patch \| (download)	client/gtk3/ibusimcontext.c \| 12 12 + 0 - 0 ! 1 file changed, 12 insertions(+)	sed s/gtk2/gtk3/g ibus-xx-f19-password.patch
ibus xx setup frequent lang.patch \| (download)	data/ibus.schemas.in \| 168 168 + 0 - 0 ! setup/enginecombobox.py \| 150 125 + 25 - 0 ! 2 files changed, 293 insertions(+), 25 deletions(-)	[patch] enable ibus-setup to show the frequently used languages only in IME list.
CVE 2019 14822.patch \| (download)	bus/server.c \| 75 66 + 9 - 0 ! 1 file changed, 66 insertions(+), 9 deletions(-)	[patch] bus: implement gdbusauthobserver callback ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS, and doesn't set a GDBusAuthObserver, which allows anyone who can connect to its AF_UNIX socket to authenticate and be authorized to send method calls. It also seems to use an abstract AF_UNIX socket, which does not have filesystem permissions, so the practical effect might be that a local attacker can connect to another user's ibus service and make arbitrary method calls. BUGS=rhbz#1717958 [Salvatore Bonaccorso: Backport to 1.5.19 - Adjust for context changes - Drop update to copyright statements ] [Salvatore Bonaccorso: Backport to 1.5.14 - Adjust for context changes - Drop huncks marking user_data with G_GNUC_UNUSED for _server_connect_start_portal_cb and bus_acquired_handler as not present in 1.5.14. ]

Patch

File delta

Description

ibus xx f19 password.patch | (download)

client/gtk3/ibusimcontext.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

 sed s/gtk2/gtk3/g ibus-xx-f19-password.patch

ibus xx setup frequent lang.patch | (download)

data/ibus.schemas.in | 168 168 + 0 - 0 !
setup/enginecombobox.py | 150 125 + 25 - 0 !
2 files changed, 293 insertions(+), 25 deletions(-)

 [patch] enable ibus-setup to show the frequently used languages
 only in IME list.

CVE 2019 14822.patch | (download)

bus/server.c | 75 66 + 9 - 0 !
1 file changed, 66 insertions(+), 9 deletions(-)

 [patch] bus: implement gdbusauthobserver callback

ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS,
and doesn't set a GDBusAuthObserver, which allows anyone who can connect
to its AF_UNIX socket to authenticate and be authorized to send method calls.
It also seems to use an abstract AF_UNIX socket, which does not have
filesystem permissions, so the practical effect might be that a local
attacker can connect to another user's ibus service and make arbitrary
method calls.

BUGS=rhbz#1717958
[Salvatore Bonaccorso: Backport to 1.5.19
 - Adjust for context changes
 - Drop update to copyright statements
]
[Salvatore Bonaccorso: Backport to 1.5.14
 - Adjust for context changes
 - Drop huncks marking user_data with G_GNUC_UNUSED for
   _server_connect_start_portal_cb and bus_acquired_handler as not
   present in 1.5.14.
]