Bug 11702 - ibus new security issue CVE-2013-4509
Summary: ibus new security issue CVE-2013-4509
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Funda Wang
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/574207/
Whiteboard:
Keywords:
Depends on:
Blocks: 11726
  Show dependency treegraph
 
Reported: 2013-11-18 22:09 CET by David Walser
Modified: 2014-01-26 23:18 CET (History)
0 users

See Also:
Source RPM: ibus-1.5.4-2.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-11-18 22:09:50 CET 
OpenSuSE has issued an advisory on November 15:
http://lists.opensuse.org/opensuse-updates/2013-11/msg00036.html

It appears that ibus 1.5.4 needs an additional patch from upstream:
https://bugzilla.novell.com/show_bug.cgi?id=847718#c6

It's not clear whether Mageia 2 or Mageia 3 are affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-19 19:31:48 CET 
Fixed in ibus-1.5.4-4.mga4 by Funda.  Thanks!

The RedHat bug suggests it may have affected 1.5.2, but doesn't say anything about 1.5.1 (in Mageia 3), so I'll close this.  Feel free to reopen if it affects 1.5.1.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 2 David Walser 2013-11-19 19:32:14 CET 
Forgot the RH bug link:
https://bugzilla.redhat.com/show_bug.cgi?id=1027028
Comment 3 David Walser 2013-11-20 21:54:02 CET 
Fedora has also issued an advisory for this for ibus-pinyin:
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122205.html

They added this patch:
http://pkgs.fedoraproject.org/cgit/ibus-pinyin.git/plain/ibus-pinyin-support-set-content-type-method.patch?id=2407816e9db27e35ba1b3a6c8e18453237a48fad

We also have ibus-pinyin 1.5.0 in Mageia 3, so it may need patched as well.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 4 David Walser 2013-11-21 12:52:37 CET 
ibus-pinyin fixed for Cauldron in ibus-pinyin-1.5.0-4.mga4.  Thanks Funda.
Comment 5 David Walser 2014-01-15 18:55:17 CET 
OpenSuSE has issued an advisory for this for ibus-chewing:
http://lists.opensuse.org/opensuse-updates/2014-01/msg00045.html

Their bug notes that it's fixed in 1.4.4 and links to the git commit:
https://bugzilla.novell.com/show_bug.cgi?id=847718#c24
David Walser 2014-01-23 20:18:50 CET

Blocks: (none) => 11726

Comment 7 David Walser 2014-01-26 22:36:03 CET 
ibus-chewing 1.4.7 has some build fixes for RHEL7 from RedHat.  Updated in SVN and freeze push requested.

RedHat and SuSE's bugs also note that ibus-anthy is affected, and it's fixed in 1.5.4.  We currently have 1.5.3 in Cauldron.  I've updated to 1.5.4 in SVN and also requested a freeze push for it.
Comment 8 David Walser 2014-01-26 22:38:20 CET 
RedHat's bug also says that you need at least ibus version 1.5.2 to be affected by the issues in any of these packages.  Mageia 3 has ibus 1.5.1, so Mageia 3 shouldn't be affected.  This bug can be closed once ibus-chewing and ibus-anthy are pushed in Cauldron.
Comment 9 David Walser 2014-01-26 23:18:47 CET 
ibus-chewing-1.4.7-1.mga4 and ibus-anthy-1.5.4-1.mga4 uploaded for Cauldron.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.