Bug 11702

Summary: ibus new security issue CVE-2013-4509
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Funda Wang <fundawang>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/574207/
Whiteboard:
Source RPM: ibus-1.5.4-2.mga4.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 11726    

Description David Walser 2013-11-18 22:09:50 CET 
OpenSuSE has issued an advisory on November 15:
http://lists.opensuse.org/opensuse-updates/2013-11/msg00036.html

It appears that ibus 1.5.4 needs an additional patch from upstream:
https://bugzilla.novell.com/show_bug.cgi?id=847718#c6

It's not clear whether Mageia 2 or Mageia 3 are affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-19 19:31:48 CET 
Fixed in ibus-1.5.4-4.mga4 by Funda.  Thanks!

The RedHat bug suggests it may have affected 1.5.2, but doesn't say anything about 1.5.1 (in Mageia 3), so I'll close this.  Feel free to reopen if it affects 1.5.1.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 2 David Walser 2013-11-19 19:32:14 CET 
Forgot the RH bug link:
https://bugzilla.redhat.com/show_bug.cgi?id=1027028
Comment 3 David Walser 2013-11-20 21:54:02 CET 
Fedora has also issued an advisory for this for ibus-pinyin:
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122205.html

They added this patch:
http://pkgs.fedoraproject.org/cgit/ibus-pinyin.git/plain/ibus-pinyin-support-set-content-type-method.patch?id=2407816e9db27e35ba1b3a6c8e18453237a48fad

We also have ibus-pinyin 1.5.0 in Mageia 3, so it may need patched as well.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 4 David Walser 2013-11-21 12:52:37 CET 
ibus-pinyin fixed for Cauldron in ibus-pinyin-1.5.0-4.mga4.  Thanks Funda.
Comment 5 David Walser 2014-01-15 18:55:17 CET 
OpenSuSE has issued an advisory for this for ibus-chewing:
http://lists.opensuse.org/opensuse-updates/2014-01/msg00045.html

Their bug notes that it's fixed in 1.4.4 and links to the git commit:
https://bugzilla.novell.com/show_bug.cgi?id=847718#c24
David Walser 2014-01-23 20:18:50 CET

Blocks: (none) => 11726

Comment 7 David Walser 2014-01-26 22:36:03 CET 
ibus-chewing 1.4.7 has some build fixes for RHEL7 from RedHat.  Updated in SVN and freeze push requested.

RedHat and SuSE's bugs also note that ibus-anthy is affected, and it's fixed in 1.5.4.  We currently have 1.5.3 in Cauldron.  I've updated to 1.5.4 in SVN and also requested a freeze push for it.
Comment 8 David Walser 2014-01-26 22:38:20 CET 
RedHat's bug also says that you need at least ibus version 1.5.2 to be affected by the issues in any of these packages.  Mageia 3 has ibus 1.5.1, so Mageia 3 shouldn't be affected.  This bug can be closed once ibus-chewing and ibus-anthy are pushed in Cauldron.
Comment 9 David Walser 2014-01-26 23:18:47 CET 
ibus-chewing-1.4.7-1.mga4 and ibus-anthy-1.5.4-1.mga4 uploaded for Cauldron.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED