IBus no longer works in Qt applications after upgrade

Bug #1844853 reported by Adam Kastner on 2019-09-21
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
GLib
Fix Released
Unknown
ibus
Fix Released
Unknown
glib2.0 (Debian)
Fix Released
Unknown
glib2.0 (Ubuntu)
Status tracked in Focal
Xenial
High
Gunnar Hjalmarsson
Bionic
High
Gunnar Hjalmarsson
Disco
High
Gunnar Hjalmarsson
Eoan
High
Gunnar Hjalmarsson
Focal
High
Unassigned
ibus (Ubuntu)
Status tracked in Focal
Focal
High
Unassigned

Bug Description

[Impact]

IBus was broken for Qt applications as a regression due to the fix of CVE-2019-14822. As a result the IBus patch was disabled temporarily, which fixed IBus from a usability POV.

The real fix has been made in glib2.0, and the updates in -proposed will allow the IBus patch to be re-enabled.

[Test Case]

 * On a standard Ubuntu {eoan,disco,bionic,xenial} installation
   - Upgrade the glib2.0 packages from
     {eoan,disco,bionic,xenial}-proposed
   - Upgrade the ibus packages from
     https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
   - Install some IBus input method, e.g. ibus-libpinyin
   - Install some Qt application, e.g. Kate

* Relogin (maybe reboot)

* Add the input method to the input sources

* Open the Qt app and try to input something using the IBus IM

=> Find that the transliteration works as expected

[Regression Potential]

The applicable patches origin from glib upstream:
https://gitlab.gnome.org/GNOME/glib/merge_requests/1176
Consequently the changes have been reviewed by the glib maintainer, but also tested by the IBus maintainer, by me (gunnarhj), and - of course - the author Simon McVittie. The changes have been in Debian unstable since 2019-10-30.

[Original description]

Kubuntu Release 18.04.3 LTS

Expected behavior:
ibus continues working as before after applying security update 1.5.17-ubuntu5.1 from version 1.5.17-ubuntu5.

Observed behavior:
ibus is not usable anymore in Qt applications.

After updating ibus and the related packages ibus-gtk, ibus-gtk3, libibus-1.0-5 and gir1.2-ibus-1.0 all from version 1.5.17-ubuntu5 to 1.5.17-ubuntu5.1, I can no longer use ibus in Qt applications. Using shift-space no longer changes the selected input method and even when i switch to the mozc input method in a gtk application, i can not use it in any Qt applications.
When starting qtconfig in a terminal, I also get the following message:

Bus::open: Connect ibus failed!
IBusInputContext::createInputContext: no connection to ibus-daemon

This bug was not present in version 1.5.17-3ubuntu5 and I also confirmed that downgrading the packages to version 1.5.17-3ubuntu4 restores ibus functionality in Qt applications.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: ibus 1.5.17-3ubuntu5.1
ProcVersionSignature: Ubuntu 5.0.0-30.32~18.04.1-generic 5.0.21
Uname: Linux 5.0.0-30-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7.7
Architecture: amd64
CurrentDesktop: KDE
Date: Sat Sep 21 07:58:56 2019
InstallationDate: Installed on 2019-06-28 (84 days ago)
InstallationMedia: Kubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210)
SourcePackage: ibus
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Adam Kastner (adamkast) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ibus (Ubuntu):
status: New → Confirmed
tags: added: regression-update
Changed in ibus (Ubuntu):
importance: Undecided → High
Changed in ibus:
status: Unknown → New
Gunnar Hjalmarsson (gunnarhj) wrote :

The problem is not bionic specific (ibus 1.5.17). Myself has confirmed it both on 19.04 (with ibus 1.5.19) and 19.10 (with ibus 1.5.21).

So the upstream commit which was backported breaks Qt, and AFAIK the problem hasn't been resolved upstream yet.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ibus - 1.5.11-1ubuntu2.3

---------------
ibus (1.5.11-1ubuntu2.3) xenial-security; urgency=medium

  * SECURITY UPDATE: ibus regression in Qt applications (LP: #1844853)
    - debian/patches/CVE-2019-14822.patch: disabled pending further
      investigation.

 -- Marc Deslauriers <email address hidden> Mon, 23 Sep 2019 13:31:22 +0200

Changed in ibus (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ibus - 1.5.17-3ubuntu5.2

---------------
ibus (1.5.17-3ubuntu5.2) bionic-security; urgency=medium

  * SECURITY UPDATE: ibus regression in Qt applications (LP: #1844853)
    - debian/patches/CVE-2019-14822.patch: disabled pending further
      investigation.

 -- Marc Deslauriers <email address hidden> Mon, 23 Sep 2019 13:30:51 +0200

Changed in ibus (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ibus - 1.5.19-1ubuntu2.2

---------------
ibus (1.5.19-1ubuntu2.2) disco-security; urgency=medium

  * SECURITY UPDATE: ibus regression in Qt applications (LP: #1844853)
    - debian/patches/CVE-2019-14822.patch: disabled pending further
      investigation.

 -- Marc Deslauriers <email address hidden> Mon, 23 Sep 2019 13:29:28 +0200

Changed in ibus (Ubuntu):
status: Confirmed → Fix Released
Changed in ibus:
status: New → Fix Released
Gunnar Hjalmarsson (gunnarhj) wrote :

On 2019-09-25 03:13, Bug Watch Updater wrote:
> ** Changed in: ibus
> Status: New => Fix Released

There is no upstream fix yet. The upstream issue was closed by mistake.

Changed in ibus (Debian):
status: Unknown → Confirmed
Changed in ibus:
status: Fix Released → New
Archisman Panigrahi (apandada1) wrote :

The issue is present in ibus version 1.5.17-3ubuntu5.2 running in KDE Neon (based on Ubuntu 18.04)

Changed in ibus:
status: New → Fix Released
Changed in glib2.0 (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Changed in glib:
status: Unknown → New
Changed in glib:
status: New → Fix Released
affects: ibus (Debian) → glib2.0 (Debian)
Changed in glib2.0 (Debian):
status: Confirmed → Fix Released
Changed in glib2.0 (Ubuntu):
status: Confirmed → Fix Committed
description: updated
no longer affects: ibus (Ubuntu Xenial)
no longer affects: ibus (Ubuntu Bionic)
no longer affects: ibus (Ubuntu Disco)
no longer affects: ibus (Ubuntu Eoan)
Changed in glib2.0 (Ubuntu Xenial):
assignee: nobody → Gunnar Hjalmarsson (gunnarhj)
importance: Undecided → High
status: New → In Progress
Changed in glib2.0 (Ubuntu Bionic):
assignee: nobody → Gunnar Hjalmarsson (gunnarhj)
importance: Undecided → High
status: New → In Progress
Changed in glib2.0 (Ubuntu Disco):
assignee: nobody → Gunnar Hjalmarsson (gunnarhj)
importance: Undecided → High
status: New → In Progress
Changed in glib2.0 (Ubuntu Eoan):
assignee: nobody → Gunnar Hjalmarsson (gunnarhj)
importance: Undecided → High
status: New → In Progress
Gunnar Hjalmarsson (gunnarhj) wrote :

Hmm.. Since the security team plans to let the ibus packages break on previous libglib2.0-0, I dropped the step in the test case to reproduce the previous bug.

description: updated
Iain Lane (laney) wrote :

I've sponsored all the SRUs now. I also backported the testcase for bionic. On xenial the same testcase *hangs*. That is likely to be due to some assumptions about gdbus that aren't true back then, but be sure to verify this release extra carefully.

description: updated
Alex Murray (alexmurray) wrote :

@gunnarhj - updated packages for ibus are now available in the ubuntu-security-proposed PPA at https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa

Also I note the bug descriptions lists ibus in Focal as Fix Released - but the latest version in focal (1.5.21-1~exp2ubuntu2) is the one with the patch reverted - would you like me to upload an updated focal version as well to the above PPA?

Gunnar Hjalmarsson (gunnarhj) wrote :

Thanks Alex!

On 2019-11-04 02:55, Alex Murray wrote:
> Also I note the bug descriptions lists ibus in Focal as Fix Released
> - but the latest version in focal (1.5.21-1~exp2ubuntu2) is the one
> with the patch reverted

Yeah.. ibus without specified series was marked "Fix Released" when the CVE patch was disabled, and when I targeted to series for glib2.0, it happened for ibus too (I removed all series bug focal). So there is really no message in it.

> would you like me to upload an updated focal version as well to the
> above PPA?

It's not needed for the SRU verification. Alternatively you could just upload to focal as soon as glib2.0 2.62.2-2 makes it to focal-release (it's stuck in -proposed right now).

(On IRC I was also talking about another ibus change in focal, which will require an apparmor change, but let's deal with that separately to not complicate things too much.)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.