[Bug 847718] New: Typed password on the GNOME lock screen is not hidden if IBus is active
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c0 Summary: Typed password on the GNOME lock screen is not hidden if IBus is active Classification: openSUSE Product: openSUSE 13.1 Version: RC 1 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: GNOME AssignedTo: bnc-team-gnome@forge.provo.novell.com ReportedBy: ftake@geeko.jp QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.8.5) Presto/2.12.388 Version/12.16 IBus 1.5.4 now supports input purpose to control how typed characters are shown on the password box. However, IBus engines that does not support this change may show typed characters on password box of GNOME lock screen if they are active: https://groups.google.com/forum/#!topic/ibus-user/mvCHDO1BJUw This problem affects, at least, the following IBus engines: - ibus-mozc (The upstream provides a patch to fix this) - ibus-anthy (fixed in 1.5.4) - ibus-pinyin - ibus-chewing Reproducible: Always Steps to Reproduce: 1. Activate IBus engines above 2. Lock screen 3. Type keys on password box -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c Fuminobu Takeyama <ftake@geeko.jp> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-gnome@forge.provo. |ftake@geeko.jp |novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c1 Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de, | |tiwai@suse.com --- Comment #1 from Takashi Iwai <tiwai@suse.com> 2013-10-25 17:44:30 UTC --- Sounds like a serious security issue to me. Added security team to Cc. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c2 --- Comment #2 from Kurt Seifried <kseifried@redhat.com> 2013-10-25 23:57:04 UTC --- Can someone from the SuSE security team confirm this? If so I'll assign a CVE for this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c3 --- Comment #3 from Fuminobu Takeyama <ftake@geeko.jp> 2013-10-26 06:11:59 UTC --- I have tested other engines. All typed characters are shown (but converted to Chinese characters etc): - ibus-mozc (The upstream provides a patch to fix this) http://code.google.com/p/mozc/issues/detail?id=199 - ibus-anthy (fixed in 1.5.4) - ibus-pinyin - ibus-chewing Only the last character is shown like IM on tablets or smart phones - ibus-m17n - ibus-hangul No effect - ibus-input-pad This commit log in ibus-anty will be helpful to fix other engines. https://github.com/ibus/ibus-anthy/commit/6aae0a9f145f536515e268dd6b25aa740a... + if self.__has_input_purpose and \ + self.__input_purpose == IBus.InputPurpose.PASSWORD: + return False Workarounds: Users should confirm the current engine is a xkb:* engine or anthy/mozc is in direct input mode before typing password on GNOME lock screen. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c4 --- Comment #4 from Fuminobu Takeyama <ftake@geeko.jp> 2013-10-26 06:15:23 UTC --- (In reply to comment #2)
Can someone from the SuSE security team confirm this? If so I'll assign a CVE for this.
As far as I know, nobody has not yet. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c5 --- Comment #5 from Fuminobu Takeyama <ftake@geeko.jp> 2013-10-26 15:21:17 UTC --- <del>As far as I know, nobody has not yet.</del> As far as I know, nobody from the security team has confirmed yet. I prepared a repository and updated ibus-mozc and ibus-anthy for submitting to 13.1:Update https://build.opensuse.org/project/show/home:ftake:branches:openSUSE:13.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c6 --- Comment #6 from Fuminobu Takeyama <ftake@geeko.jp> 2013-10-28 15:39:53 UTC --- It seems that we need another patch for ibus: https://bugzilla.redhat.com/show_bug.cgi?id=1013948 ibus 1.5.4 does not include this commit: https://github.com/ibus/ibus/commit/9596aea2e2df4cd3ac9b795ad9f354723cf83317 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c7 --- Comment #7 from Takashi Iwai <tiwai@suse.com> 2013-10-31 14:33:22 UTC --- I confirmed the issue on freshly installed 13.1-RC2 on KVM. The repo in comment 5 fixes the issue with mozc, at least. Didn't test other IMs yet, though. The fix mentioned in comment 6 is just to make the ibus-side content type delegation more consistent. I quickly applied a fix and tested, it seems working, at least nothing worse. Now ibus is submitted to M17N via SRID 205368. Of course, this ibus fix does anything useful unless the IM engines support the IBus.InputPurpose.PASSWORD check. Takeyama-san, could you submit your fixes? I don't think these fixes would conflict if anything fundamental will be fixed later in the ibus core side. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c8 --- Comment #8 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-10-31 17:00:24 CET --- This is an autogenerated message for OBS integration: This bug (847718) was mentioned in https://build.opensuse.org/request/show/205379 Factory / ibus -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c9 --- Comment #9 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-11-01 10:00:29 CET --- This is an autogenerated message for OBS integration: This bug (847718) was mentioned in https://build.opensuse.org/request/show/205491 13.1 / mozc https://build.opensuse.org/request/show/205492 13.1 / ibus.openSUSE_13.1 https://build.opensuse.org/request/show/205493 13.1 / ibus-anthy -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Typed password on the GNOME |VUL-0: ibus: Typed password |lock screen is not hidden |on the GNOME lock screen is |if IBus is active |not hidden if IBus is | |active -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c10 --- Comment #10 from Fuminobu Takeyama <ftake@geeko.jp> 2013-11-01 13:53:41 UTC --- (In reply to comment #7)
Of course, this ibus fix does anything useful unless the IM engines support the IBus.InputPurpose.PASSWORD check. Takeyama-san, could you submit your fixes?
Sorry, I didn't noticed your comment because Bugzilla didn't send any notification. As the message from OBS says, I have submitted updated packages to 13.1. I am waiting the requests are accepted. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c11 Victor Pereira <vpereira@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vpereira@novell.com --- Comment #11 from Victor Pereira <vpereira@novell.com> 2013-11-01 14:31:18 UTC --- do we have already a CVE assigned to it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c12 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium --- Comment #12 from Swamp Workflow Management <swamp@suse.de> 2013-11-01 23:00:19 UTC --- bugbot adjusting priority -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c13 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #13 from Marcus Meissner <meissner@suse.com> 2013-11-04 12:38:32 UTC --- posted cve requestd on oss-sec -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c14 Fuminobu Takeyama <ftake@geeko.jp> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |Final --- Comment #14 from Fuminobu Takeyama <ftake@geeko.jp> 2013-11-04 15:23:06 UTC --- Can we put these fix into 13.1 GM? IBus and Mozc have been checked in Factory, but I cannot see response from maintainance team. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c Victor Pereira <vpereira@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|VUL-0: ibus: Typed password |VUL-0: CVE-2013-4509: ibus: |on the GNOME lock screen is |Typed password on the GNOME |not hidden if IBus is |lock screen is not hidden |active |if IBus is active Alias| |CVE-2013-4509 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:2187:low -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c15 Benjamin Brunner <bbrunner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #15 from Benjamin Brunner <bbrunner@suse.com> 2013-11-14 16:09:13 CET --- Mozc was already merged to openSUSE 13.1 GM, ibus and ibus-anthy is now released as maintenance update. Resolved fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c16 Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #16 from Takashi Iwai <tiwai@suse.com> 2013-11-14 15:20:10 UTC --- There are still other affected engines as Takayama-san listed in the bug description. Namely, ibus-pinyin and ibus-chewing are unfixed. Also, ibus-m17n and ibus-hangul slightly suffers from the same problem (showing only the last character, though). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|obs:running:2187:low | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c17 --- Comment #17 from Swamp Workflow Management <swamp@suse.de> 2013-11-15 18:06:09 UTC --- openSUSE-SU-2013:1686-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 847718 CVE References: CVE-2013-4509 Sources used: openSUSE 13.1 (src): ibus-1.5.4-4.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c18 --- Comment #18 from Swamp Workflow Management <swamp@suse.de> 2013-11-15 18:06:59 UTC --- openSUSE-RU-2013:1689-1: An update that fixes one vulnerability is now available. Category: recommended (low) Bug References: 847718 CVE References: CVE-2013-4509 Sources used: openSUSE 13.1 (src): ibus-anthy-1.5.4-2.4.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c19 --- Comment #19 from Takashi Iwai <tiwai@suse.com> 2013-11-21 07:37:01 UTC --- Fedora fixed ibus-pinyin, so I took the fix patch. The package is being built on OBS home:tiwai:branches:M17N/ibus-pinyin. Can anyone test it quickly? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c20 --- Comment #20 from Fuminobu Takeyama <ftake@geeko.jp> 2013-11-22 06:27:24 UTC --- I have confirmed your patch fixed this issue under openSUSE 13.1. Note: A report in Fedora https://bugzilla.redhat.com/show_bug.cgi?id=1027028 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c21 --- Comment #21 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-11-22 08:00:11 CET --- This is an autogenerated message for OBS integration: This bug (847718) was mentioned in https://build.opensuse.org/request/show/207901 Factory / ibus-pinyin -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c22 --- Comment #22 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-11-22 09:00:14 CET --- This is an autogenerated message for OBS integration: This bug (847718) was mentioned in https://build.opensuse.org/request/show/207905 13.1 / ibus-pinyin+anthy -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:2277:low -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|obs:running:2277:low | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c23 --- Comment #23 from Swamp Workflow Management <swamp@suse.de> 2013-12-04 20:04:28 UTC --- openSUSE-SU-2013:1825-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 847718 CVE References: CVE-2013-4509 Sources used: openSUSE 13.1 (src): ibus-pinyin-1.5.0-3.6.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c24 --- Comment #24 from Fuminobu Takeyama <ftake@geeko.jp> 2013-12-19 17:45:01 UTC --- ibus-chewing: fixed in upstream 1.4.4 https://github.com/definite/ibus-chewing/commit/675f99f1aab33cb92a3010d7a3fa... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c25 --- Comment #25 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-12-22 05:00:12 CET --- This is an autogenerated message for OBS integration: This bug (847718) was mentioned in https://build.opensuse.org/request/show/211984 Factory / ibus-chewing -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c26 --- Comment #26 from Fuminobu Takeyama <ftake@geeko.jp> 2013-12-28 07:43:57 UTC --- Can anyone (traditional Chinese users if possible) test this update? https://build.opensuse.org/package/show/home:ftake:branches:openSUSE:13.1:Up... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:2464:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c27 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #27 from Sebastian Krahmer <krahmer@suse.com> 2014-01-15 15:17:26 UTC --- released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=847718 https://bugzilla.novell.com/show_bug.cgi?id=847718#c28 --- Comment #28 from Swamp Workflow Management <swamp@suse.de> 2014-01-15 16:04:24 UTC --- openSUSE-SU-2014:0068-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 847718 CVE References: CVE-2013-4509 Sources used: openSUSE 13.1 (src): ibus-chewing-1.4.3-4.4.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=847718 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:2464:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com