JAN
21
2005

Security: Advisories for KPDF, KOffice and Konversation

Three security advisories have been issued this week. The first two are due to

a vulnerability

that was discovered in
xpdf. Both
KPDF
and the

KOffice PDF import filter

include their own version of xpdf and as a result they too will require some updating. The third advisory involves
Konversation in which

several security issues

where discovered.

Comments

"Both KPDF and the KOffice PDF import filter include their own version of xpdf"

What?!? Isn't this exactly what shared libraries are for?


By anon at Sat, 2005/01/22 - 6:00am

If xpdf was available as a shared library, it certainly would...


By Daniel Molkentin at Sat, 2005/01/22 - 6:00am

Well, since KPDF and KOffice are both KDE package,
maybe there should exist only one shared library for xpdf within KDE?

Code duplication sux 101


By fprog26 at Sat, 2005/01/22 - 6:00am

If xpdf was available as a shared library, it certainly would..


By Christian Loose at Sat, 2005/01/22 - 6:00am

Wrong. If xpdf was available in KDE as a shared KDE wrapper library then it certainly would. There's absolutely no reason to have two copies of xpdf in KDE (at least not in the long run). I bet that those were not the last security problems which are discovered in xpdf:

October 2004:
http://www.kde.org/info/security/advisory-20041021-1.txt
http://koffice.kde.org/security/2004_xpdf_integer_overflow.php

December 2004:
http://www.kde.org/info/security/advisory-20041223-1.txt
http://koffice.kde.org/security/2004_xpdf_integer_overflow_2.php

January 2004:
http://www.kde.org/info/security/advisory-20050119-1.txt
http://koffice.kde.org/security/advisory-20050120-1.txt


By Ingo Klöcker at Sat, 2005/01/22 - 6:00am

What is even more puzzling is the fact that the kdegraphics module both contains an version of xpdf and try to link to parts of a external version. Since I don't have xpdf installed I get this funny mesage when using cvs.

You're missing pdfinfo. That means that you won't be able to
see additional informations about pdf files in konqueror.
The plugin for it will still be compiled, but won't work until
you install pdfinfo.
You can download it (inside the xpdf package) from
http://www.foolabs.com/xpdf/

I have been considering filing a bug on it, but haven't gotten around to it yet:-)


By Morty at Sat, 2005/01/22 - 6:00am

One practical problem is where do you put the common library. Another problem is that the xpdf sources needs some slight modifications for the pdf->kword filter.


By azhyd at Sat, 2005/01/22 - 6:00am

and one more problem is that in koffice it is not the same xpdf version ... I am working on that though.


By azhyd at Sat, 2005/01/22 - 6:00am

Fixed this potential remote_procedure_call-risk.
Note: Older Linux versions are lesser hollowed.


By llllll at Sat, 2005/01/22 - 6:00am