IBus no longer works in Qt applications after upgrade

Bug #1844853 reported by Adam Kastner on 2019-09-21
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
GLib
Fix Released
Unknown
ibus
Fix Released
Unknown
glib2.0 (Debian)
Fix Released
Unknown
glib2.0 (Ubuntu)
Status tracked in Focal
Xenial
High
Gunnar Hjalmarsson
Bionic
High
Gunnar Hjalmarsson
Disco
High
Gunnar Hjalmarsson
Eoan
High
Gunnar Hjalmarsson
Focal
High
Unassigned
ibus (Ubuntu)
Status tracked in Focal
Focal
High
Unassigned

Bug Description

[Impact]

IBus was broken for Qt applications as a regression due to the fix of CVE-2019-14822. As a result the IBus patch was disabled temporarily, which fixed IBus from a usability POV.

The real fix has been made in glib2.0, and the updates in -proposed will allow the IBus patch to be re-enabled.

[Test Case]

 * On a standard Ubuntu {eoan,disco,bionic,xenial} installation
   - Upgrade the glib2.0 packages from
     {eoan,disco,bionic,xenial}-proposed
   - Upgrade the ibus packages from
     https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
   - Install some IBus input method, e.g. ibus-libpinyin
   - Install some Qt application, e.g. Kate

* Relogin (maybe reboot)

* Add the input method to the input sources

* Open the Qt app and try to input something using the IBus IM

=> Find that the transliteration works as expected

[Regression Potential]

The applicable patches origin from glib upstream:
https://gitlab.gnome.org/GNOME/glib/merge_requests/1176
Consequently the changes have been reviewed by the glib maintainer, but also tested by the IBus maintainer, by me (gunnarhj), and - of course - the author Simon McVittie. The changes have been in Debian unstable since 2019-10-30.

[Original description]

Kubuntu Release 18.04.3 LTS

Expected behavior:
ibus continues working as before after applying security update 1.5.17-ubuntu5.1 from version 1.5.17-ubuntu5.

Observed behavior:
ibus is not usable anymore in Qt applications.

After updating ibus and the related packages ibus-gtk, ibus-gtk3, libibus-1.0-5 and gir1.2-ibus-1.0 all from version 1.5.17-ubuntu5 to 1.5.17-ubuntu5.1, I can no longer use ibus in Qt applications. Using shift-space no longer changes the selected input method and even when i switch to the mozc input method in a gtk application, i can not use it in any Qt applications.
When starting qtconfig in a terminal, I also get the following message:

Bus::open: Connect ibus failed!
IBusInputContext::createInputContext: no connection to ibus-daemon

This bug was not present in version 1.5.17-3ubuntu5 and I also confirmed that downgrading the packages to version 1.5.17-3ubuntu4 restores ibus functionality in Qt applications.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: ibus 1.5.17-3ubuntu5.1
ProcVersionSignature: Ubuntu 5.0.0-30.32~18.04.1-generic 5.0.21
Uname: Linux 5.0.0-30-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7.7
Architecture: amd64
CurrentDesktop: KDE
Date: Sat Sep 21 07:58:56 2019
InstallationDate: Installed on 2019-06-28 (84 days ago)
InstallationMedia: Kubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210)
SourcePackage: ibus
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Adam Kastner (adamkast) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ibus (Ubuntu):
status: New → Confirmed
tags: added: regression-update
Changed in ibus (Ubuntu):
importance: Undecided → High
Changed in ibus:
status: Unknown → New
Gunnar Hjalmarsson (gunnarhj) wrote :

The problem is not bionic specific (ibus 1.5.17). Myself has confirmed it both on 19.04 (with ibus 1.5.19) and 19.10 (with ibus 1.5.21).

So the upstream commit which was backported breaks Qt, and AFAIK the problem hasn't been resolved upstream yet.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ibus - 1.5.11-1ubuntu2.3

---------------
ibus (1.5.11-1ubuntu2.3) xenial-security; urgency=medium

  * SECURITY UPDATE: ibus regression in Qt applications (LP: #1844853)
    - debian/patches/CVE-2019-14822.patch: disabled pending further
      investigation.

 -- Marc Deslauriers <email address hidden> Mon, 23 Sep 2019 13:31:22 +0200

Changed in ibus (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ibus - 1.5.17-3ubuntu5.2

---------------
ibus (1.5.17-3ubuntu5.2) bionic-security; urgency=medium

  * SECURITY UPDATE: ibus regression in Qt applications (LP: #1844853)
    - debian/patches/CVE-2019-14822.patch: disabled pending further
      investigation.

 -- Marc Deslauriers <email address hidden> Mon, 23 Sep 2019 13:30:51 +0200

Changed in ibus (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ibus - 1.5.19-1ubuntu2.2

---------------
ibus (1.5.19-1ubuntu2.2) disco-security; urgency=medium

  * SECURITY UPDATE: ibus regression in Qt applications (LP: #1844853)
    - debian/patches/CVE-2019-14822.patch: disabled pending further
      investigation.

 -- Marc Deslauriers <email address hidden> Mon, 23 Sep 2019 13:29:28 +0200

Changed in ibus (Ubuntu):
status: Confirmed → Fix Released
Changed in ibus:
status: New → Fix Released
Gunnar Hjalmarsson (gunnarhj) wrote :

On 2019-09-25 03:13, Bug Watch Updater wrote:
> ** Changed in: ibus
> Status: New => Fix Released

There is no upstream fix yet. The upstream issue was closed by mistake.

Changed in ibus (Debian):
status: Unknown → Confirmed
Changed in ibus:
status: Fix Released → New
Archisman Panigrahi (apandada1) wrote :

The issue is present in ibus version 1.5.17-3ubuntu5.2 running in KDE Neon (based on Ubuntu 18.04)

Changed in ibus:
status: New → Fix Released
Changed in glib2.0 (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Changed in glib:
status: Unknown → New
Changed in glib:
status: New → Fix Released
affects: ibus (Debian) → glib2.0 (Debian)
Changed in glib2.0 (Debian):
status: Confirmed → Fix Released
Changed in glib2.0 (Ubuntu):
status: Confirmed → Fix Committed
description: updated
no longer affects: ibus (Ubuntu Xenial)
no longer affects: ibus (Ubuntu Bionic)
no longer affects: ibus (Ubuntu Disco)
no longer affects: ibus (Ubuntu Eoan)
Changed in glib2.0 (Ubuntu Xenial):
assignee: nobody → Gunnar Hjalmarsson (gunnarhj)
importance: Undecided → High
status: New → In Progress
Changed in glib2.0 (Ubuntu Bionic):
assignee: nobody → Gunnar Hjalmarsson (gunnarhj)
importance: Undecided → High
status: New → In Progress
Changed in glib2.0 (Ubuntu Disco):
assignee: nobody → Gunnar Hjalmarsson (gunnarhj)
importance: Undecided → High
status: New → In Progress
Changed in glib2.0 (Ubuntu Eoan):
assignee: nobody → Gunnar Hjalmarsson (gunnarhj)
importance: Undecided → High
status: New → In Progress
Gunnar Hjalmarsson (gunnarhj) wrote :

Hmm.. Since the security team plans to let the ibus packages break on previous libglib2.0-0, I dropped the step in the test case to reproduce the previous bug.

description: updated
Iain Lane (laney) wrote :

I've sponsored all the SRUs now. I also backported the testcase for bionic. On xenial the same testcase *hangs*. That is likely to be due to some assumptions about gdbus that aren't true back then, but be sure to verify this release extra carefully.

description: updated
Alex Murray (alexmurray) wrote :

@gunnarhj - updated packages for ibus are now available in the ubuntu-security-proposed PPA at https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa

Also I note the bug descriptions lists ibus in Focal as Fix Released - but the latest version in focal (1.5.21-1~exp2ubuntu2) is the one with the patch reverted - would you like me to upload an updated focal version as well to the above PPA?

Gunnar Hjalmarsson (gunnarhj) wrote :

Thanks Alex!

On 2019-11-04 02:55, Alex Murray wrote:
> Also I note the bug descriptions lists ibus in Focal as Fix Released
> - but the latest version in focal (1.5.21-1~exp2ubuntu2) is the one
> with the patch reverted

Yeah.. ibus without specified series was marked "Fix Released" when the CVE patch was disabled, and when I targeted to series for glib2.0, it happened for ibus too (I removed all series bug focal). So there is really no message in it.

> would you like me to upload an updated focal version as well to the
> above PPA?

It's not needed for the SRU verification. Alternatively you could just upload to focal as soon as glib2.0 2.62.2-2 makes it to focal-release (it's stuck in -proposed right now).

(On IRC I was also talking about another ibus change in focal, which will require an apparmor change, but let's deal with that separately to not complicate things too much.)

Hello Adam, or anyone else affected,

Accepted glib2.0 into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/glib2.0/2.62.2-2~ubuntu19.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in glib2.0 (Ubuntu Eoan):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-eoan
Łukasz Zemczak (sil2100) wrote :

Hello Adam, or anyone else affected,

Accepted glib2.0 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/glib2.0/2.56.4-0ubuntu0.18.04.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in glib2.0 (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Gunnar Hjalmarsson (gunnarhj) wrote :

I verified the test case using
- version 2.62.2-2~ubuntu19.10.1 of libglib2.0-{0,bin,data} from
  eoan-proposed
- version 1.5.21-1~exp2ubuntu2.1 of the ibus packages from
  ppa:ubuntu-security-proposed/ppa

Could successfully input Bangla characters in Kate using ibus-avro.

tags: added: verification-done-eoan
removed: verification-needed-eoan

All autopkgtests for the newly accepted glib2.0 (2.56.4-0ubuntu0.18.04.5) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.36.1-0ubuntu1.3.3 (ppc64el, amd64)
cairo/unknown (armhf)
firefox/70.0.1+build1-0ubuntu0.18.04.1 (armhf)
pinentry/1.1.0-1 (amd64)
policykit-1/unknown (armhf)
systemd/237-3ubuntu10.31 (s390x)
cmake-extras/1.3+17.04.20170310-1ubuntu4 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#glib2.0

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted glib2.0 (2.62.2-2~ubuntu19.10.1) for eoan have finished running.
The following regressions have been reported in tests triggered by the package:

indicator-session/17.3.20+19.10.20190921-0ubuntu1 (arm64)
sbd/1.4.0-18-g5e3283c-1ubuntu1 (i386)
cairo/unknown (armhf)
netplan.io/0.98-0ubuntu1 (ppc64el)
apport/2.20.11-0ubuntu8.2 (amd64)
snapd-glib/unknown (armhf)
firefox/70.0.1+build1-0ubuntu0.19.10.1 (armhf)
bumblebee/unknown (armhf)
glib2.0/2.62.2-2~ubuntu19.10.1 (i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/eoan/update_excuses.html#glib2.0

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Hello Adam, or anyone else affected,

Accepted glib2.0 into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/glib2.0/2.60.4-0ubuntu0.19.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in glib2.0 (Ubuntu Disco):
status: In Progress → Fix Committed
tags: added: verification-needed-disco
Timo Aaltonen (tjaalton) wrote :

Hello Adam, or anyone else affected,

Accepted glib2.0 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/glib2.0/2.48.2-0ubuntu4.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in glib2.0 (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial

All autopkgtests for the newly accepted glib2.0 (2.48.2-0ubuntu4.5) for xenial have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.28.2-1ubuntu1~16.04.3 (s390x)
dbus-test-runner/15.04.0+15.10.20151002-0ubuntu1 (arm64)
libreoffice/1:5.1.6~rc2-0ubuntu1~xenial10 (i386)
libglib-object-introspection-perl/0.040-2 (armhf)
network-manager/1.2.6-0ubuntu0.16.04.3 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/xenial/update_excuses.html#glib2.0

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted glib2.0 (2.60.4-0ubuntu0.19.04.2) for disco have finished running.
The following regressions have been reported in tests triggered by the package:

apport/2.20.10-0ubuntu27.3 (i386, amd64)
awesome/4.3-4 (armhf)
graphviz/unknown (armhf)
vlc/unknown (armhf)
systemd/240-6ubuntu5.7 (i386, amd64)
umockdev/0.12.1-2 (amd64)
udisks2/2.8.2-1 (arm64)
gtk+3.0/3.24.8-1ubuntu1 (armhf)
glib2.0/2.60.4-0ubuntu0.19.04.2 (i386)
sbd/1.3.1-4 (i386)
firefox/70.0.1+build1-0ubuntu0.19.04.1 (armhf)
lazarus/unknown (armhf)
dbus-test-runner/15.04.0+19.04.20190115-0ubuntu1 (ppc64el)
gvfs/1.40.1-1ubuntu0.1 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/disco/update_excuses.html#glib2.0

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Changed in glib2.0 (Ubuntu Focal):
status: Fix Committed → Fix Released

Hello Adam, or anyone else affected,

Accepted glib2.0 into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/glib2.0/2.62.3-2~ubuntu19.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed-eoan
removed: verification-done-eoan

All autopkgtests for the newly accepted glib2.0 (2.62.3-2~ubuntu19.10.1) for eoan have finished running.
The following regressions have been reported in tests triggered by the package:

automake-1.16/1:1.16.1-4ubuntu3 (s390x)
libreoffice/1:6.3.4-0ubuntu0.19.10.1 (ppc64el)
umockdev/0.13.2-1 (armhf, i386)
asterisk/1:16.2.1~dfsg-2build2 (arm64)
tracker/2.3.0-1 (armhf)
glib2.0/2.62.3-2~ubuntu19.10.1 (i386)
cmake-extras/1.3+17.04.20170310-5 (armhf)
netplan.io/0.98-0ubuntu1 (ppc64el, i386)
dbus-test-runner/15.04.0+19.04.20190115-0ubuntu1 (armhf, i386)
sbd/1.4.0-18-g5e3283c-1ubuntu1 (amd64, i386)
ocaml-cairo2/unknown (armhf)
netplan.io/unknown (armhf)
gvfs/1.42.1-1ubuntu1 (arm64)
openssh/1:8.0p1-6build1 (amd64, armhf, arm64, s390x, i386, ppc64el)
snapd-glib/1.49-0ubuntu1.19.10.0 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/eoan/update_excuses.html#glib2.0

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.