APR
22
2005

Security: Advisories for kdelibs and Kommander

Two security advisories have been issued by the KDE Security Team which both affect KDE 3.2 up to and including KDE 3.4: kdelibs does not properly perform input validation for image files. Kommander executes without user confirmation data files from possibly untrusted locations. These issues will be fixed in KDE 3.4.1, for older KDE versions patches are available.

Comments

kde 3.4.1? when?


By Mathias at Fri, 2005/04/22 - 5:00am

When it's done :) But here some Screenshots of current CVS.


By Screenshots at Fri, 2005/04/22 - 5:00am

... and a last one ...


By Screenshots at Fri, 2005/04/22 - 5:00am

What font are you using in your desktop?


By .... at Fri, 2005/04/22 - 5:00am

... the default ones shown + AA enabled ...


By Screenshots at Fri, 2005/04/22 - 5:00am

:) Where did you get a version of Helvetica that can be anti-aliased?

Bitmapped Helvetica still plagues me to this day.


By Dolio at Fri, 2005/04/22 - 5:00am

magic :)


By Screenshots at Fri, 2005/04/22 - 5:00am

Would you explain this "magic" for inquiring minds?


By stumbles at Fri, 2005/04/22 - 5:00am

He prolly hasn't Helvetica in his fonts paths or has it aliased, KDE tends to go with the nearest choice when a font is not available, I think.

I generally install M$ webfonts and comment out any other fonts paths in my /etc/fonts/fonts.conf. If KDE was set to use Helvetica, it will now use Verdana instead, and so on.


By Pilaf at Sat, 2005/04/23 - 5:00am

I do have XOrg installed with Bitstream fonts (the stuff that comes with it) and the original fonts from WindowsNT (not the corefonts as found on Sourceforge). These are Helvetica AA fonts that you see on the Screenshots.


By Screenshots at Sat, 2005/04/23 - 5:00am

Macintoshes come with truetype Helveticas but you can also buy it from Linotype.


By Robert at Sat, 2005/04/23 - 5:00am

A simple solution to the Helvetica problem *used* to be to install the URW clones as the Adobe fonts, but with FontConfig, there isn't a file available for FontConfig. Perhaps KDE could provide this.

You can install the Helvetica font that comes with the Adobe Acrobat 3.x for Windows (get the AFM files from Adobe FTP), but that Helvetica is an old font that doesn't have a Euro symbol and I don't know if doing this is 100% legal so distros are not going to include it.

So, the question is: Why do we persist in using "Helvetica" and "Courier" as the default rather than the FontConfig generic font names: "sans-serif" & "monospace". This would appear to be an obvious solution, or are there some systems that don't use FontConfig?

Alternatively, KDE could automatically substitute "Arial" for "Helvetica", Courier New for "Courier", & "Times New Roman" for "Times". Perhaps there should be a way to turn this off, but for many users it would solve some problems. Or, this could be added to the FontConfig configuration files. Perhaps a KDE GUI to edit your FontConfig: "/etc/fonts/local.conf" file would help.

--
JRT


By James Richard Tyrer at Mon, 2005/04/25 - 5:00am

What windeco are you using? Is it the default Plastik?


By Anonymous at Fri, 2005/04/22 - 5:00am

Yes.


By Screenshots at Fri, 2005/04/22 - 5:00am

Its taking a step backwards IMO.

I liked the old style much better.


By anon at Fri, 2005/04/22 - 5:00am

> I liked the old style much better.

I didn't. I'm glad Plastik is default now.
And I got the impression that a lot of people agree with me.


By cm at Fri, 2005/04/22 - 5:00am

You're right, of course. Plastik has been generally well-received. And a popular theme makes a decent choice for default, although I'd say a boring inoffensive one is better, but that's for distros to decide.

But I have to say I agree with the original complainer. I tried to use Plastik, really I did. But it's ugly, busy and takes up a lot more screen real estate than necessary. This is all my subjective opinion, of course, but I've found it's a generally consistent opinion of those who don't like Plastik. Basically the problem is that it's Windows XP's "Luna" theme, mercifully without the abrasive color scheme.

I actually think ThinKeramik is great, and Keramik is almost as good (but a little busy). It's inobtrusive, nondescript, and out-of-the-way, and functional. Again, my opinion.

I think it's a divide between those who don't want window decorations to distract from the window contents, and those who...well, want flashy window decorations. No offense intended.

As long as KDE still offers plenty of theme choices aside from the default, who cares? Distros often change the default to their own anyway.


By ac at Fri, 2005/04/22 - 5:00am

> I tried to use Plastik, really I did. But it's ugly, busy and takes
> up a lot more screen real estate than necessary.

Funny, that's what I always say about Keramik.

> As long as KDE still offers plenty of theme choices aside from the default,
> who cares? Distros often change the default to their own anyway.

ACK.


By cm at Fri, 2005/04/22 - 5:00am

It looks like they are still using that really bad blue colour on the information screens. See http://bugs.kde.org/show_bug.cgi?id=100448 for more information, and please vote on it, it was much better in the early 3.4 betas.


By Ian Ventura-Whiting at Fri, 2005/04/22 - 5:00am

I like the information screens they look quite cool.


By Screenshots at Fri, 2005/04/22 - 5:00am

I am still kind-of disappointed in KDE. I hope I am wrong in thinking that Konqueror photo is of the default settings. IMNSHO, first, all those icons after and including the printer icon should be removed, and the location toolbar put or even merged with the apace after the back/forward bar and the KDE animatied logo.

Second: The fonts look "thick" and "big". Why? Is the insane behavior of the toolbar now tamed? Sometimes visiting some sites would make those toolbars un-dockable (sp), and Konqueror would on several occasions, forget its toolbar settings. A [useful] bug report was not easy to file since reproducing this behavior was not possible. It happens at random!

Since KDE is still being fine tuned, I'll keep my fingers crossed for now.


By charles at Fri, 2005/04/22 - 5:00am

> IMNSHO, first, all those icons after and including the printer icon should be
> removed, and the location toolbar put or even merged with the apace after the
> back/forward bar and the KDE animatied logo.

I exactly like the icons where they are and the icons after the printer icon should stay where they are and of course the location toolbar is right as well. It's exactly how I want my desktop to look like.

> Second: The fonts look "thick" and "big". Why?

Because I have chosen them, they are healthy for my eyes.

> Since KDE is still being fine tuned, I'll keep my fingers crossed for now.

My Screenshots are in no way representative for the KDE project, these are my Screenshots.


By Screenshots at Fri, 2005/04/22 - 5:00am

> I am still kind-of disappointed in KDE. I hope I am wrong in thinking that Konqueror photo is of the default settings.

You're disappointed with something what you don't use?


By Anonymous at Fri, 2005/04/22 - 5:00am

It seems unlikely that your problems with Konqueror are random. They are perhaps unpredictable and difficult to analyze, but that is true about most complicated systems.

You should fill out a bug report if you think you've found a bug. Hopefully other people that have the same problem will add to it, and some commonality can be discovered allowing a fix or work around to be developed.


By brian at Sat, 2005/04/23 - 5:00am

Depends on when the switch to Subversion will happen.


By Anonymous at Fri, 2005/04/22 - 5:00am

Anyway I think that this updates will be backported to KDE 3.4.0 by distro-makers. At least, Gentoo has already done it, don't know others. (yesterday I got a kdelibs-3.4.0-r2 update)


By Davide Ferrari at Fri, 2005/04/22 - 5:00am

Patches are already available thanks to the KDE developers, the distro-makers has only to apply the patches, rebuild and release.


By Morty at Fri, 2005/04/22 - 5:00am

Much hype made me try kubuntu 0.5.4, but to my disappointment i found that there are many things lacking in it. I say slackware 10.1 with KDE 3.4 is the best!

KUBUNTU:
-------
PROS:

1. tighter integration of KDE with base system.
2. KDM Theme.
3. Lipstik style. Good Look and Feel. Lipstick rocks.
4. few and most useful applications (k3b,amarok, gwenview, openoffice, etc.)
5. automatic configuration after installation.

CONS:

1. configuration applications missing (alsaconf, adsl-setup, xorgsetup)
2. and many nifty small applications like links, lynx, etc. (when X11 is crashed how will you access internet?)
3. not fully multimedia ready (libdvdcss not installed DVD Playback not possible)
4. Too less Default KDE applications installed.
5. nice applications like karchiver are not part of the KDE centric OS :(

Lack of Configuration tools and GCC/G++ are too much a trouble. I'll stick with Slackware!


By Asif Ali Rizwaan at Fri, 2005/04/22 - 5:00am

Is there a single on-topic comment on the Dot from you?


By Anonymous at Fri, 2005/04/22 - 5:00am

There doesn't seem to be any on-topic comments here.

Oh, yes, security is good.

Derek


By Derek Kite at Fri, 2005/04/22 - 5:00am

The "3.4.1" thread refers to the story text.


By Anonymous at Fri, 2005/04/22 - 5:00am

Hmmm... your posting here indicates that you're aware of existence of the internet, in its' widest sense - you know, http, ftp... so, missing packages are easily downloaded and installed via - guess what - internet... Distro that comes on a single CD is not to be expected to have all the packages YOU want. Btw, gcc and make are on the CD, along with kernel-headers and such - if you launched e.g. kynaptic to check available packages, you would see that you could install them with a few mouse clicks... Slackware users - rrright...


By Petar at Sat, 2005/04/23 - 5:00am