APR
10
2003

Security: PS/PDF file handling vulnerability

The KDE Security team has issued an advisory on a vulnerability present in all versions of KDE that allow a remote attacker to execute arbitrary commands under your account. KDE 3.0.5b and KDE 3.1.1a have been released to address this problem. For KDE 2.2.2 patches to the KDE 2.2.2 sources have been made available.

KDE uses Ghostscript software for processing of PostScript (PS)
and PDF files in a way that allows for the execution of arbitrary
commands that can be contained in such files.

An attacker can prepare a malicious PostScript or PDF file which will
provide the attacker with access to the victim's account and privileges
when the victim opens this malicious file for viewing or when the
victim browses a directory containing such malicious file and has
file previews enabled.

An attacker can provide malicious files remotely to a victim in an
e-mail, as part of a webpage, via an ftp server and possible other
means.

OS vendors and KDE package providers have been alerted and the we expect them to provide updated binary packages shortly. The following updates are already available from the KDE ftp mirrors:

Note that many also provide updates via their own online update service.

Comments

You know what would be nice, is if distributors packaged up a binary update of just what changed. So that we didn't need to download a whole new kde or what ever every time a new release is made.

But then maybe I'm only dreaming. :)


By Mark Hillary at Thu, 2003/04/10 - 5:00am

That shouldn't be difficult I think. They could just release something called "kde3.1.1secpatch.xxxx.i586.rpm". This would install just that necessary part.

The only problem that I find is that this package could have conflicts with other packages, since it's providing the same files. I'm not sure if rpm or other formats admit this kind of overwriting.


By Unai at Thu, 2003/04/10 - 5:00am

Maybe its a feature that could be added. To allow a package to assosicated with a differernet package as an update.


By Mark Hillary at Thu, 2003/04/10 - 5:00am

SuSE do it already


By benji weber at Thu, 2003/04/10 - 5:00am

> You know what would be nice, is if distributors packaged up a binary update of just what changed.

SuSE's update already uses rpm patches since SuSE 8.0.


By Anonymous at Thu, 2003/04/10 - 5:00am

Just use the viewer from the creators of the PDF - Adobe Acrobat Reader.
There is linux version - very nice one.

And something more to add, it seems that Adobe are moving on the curve to start using QT for their products. May be just rumors. However I will not be surprised if next version of Photoshop is QT based and also available for linux - then asta la vista gimp. For making you sure that new QT curve that happens in Adobe is not just rumor (may be it still is) check this:
http://www.trolltech.com/newsroom/announcements/00000120.html

QT & KDE forever! Use Adobe Acrobat Reader for Linux if you want to view PDFs.


By Anton Velev at Thu, 2003/04/10 - 5:00am

I doubt that the Gimp will go away, as it is pretty unlikely that they you will get Photoshop for free :)


By AC at Thu, 2003/04/10 - 5:00am

Why not to pay money if it's good?
Why one things that software should be free?
Also we are talking about Adobe Acrobat Reader which is free softare.

And something to add about the old topic for adoption of linux as business desktop. Some people beleive that linux can possibly dominate one day on business desktop, with only free software installed. This is total mud. Just impossible. For adoption of one platform as corporate platform some money should be invested and big amount of PROFESSIONAL and COMMERCIAL apps available - like Photoshop. Relating with the current example one professional designer will never use linux before he has programs like Photoshop, CorelDraw etc. And talking about using GIMP for professional work is unserious (not saying that GIMP is unprofessional but far from Photoshop).
My sister is professional designer and i tried several times to point her attention to linux and GIMP but unsuccessful, however she appreciate highly the cool design of my KDE desktop. And be sure she would use Linux for professional work if there was available linux version of Adobe Photoshop. Just to mention with wine only 4.0 and 5.0 works fine.

Anyway think about it - commercial quality software is needed for linux to konquer the business desktop!


By Anton Velev at Thu, 2003/04/10 - 5:00am

Acrobat Reader is software and it is free, but it is not free software.


By Albert Astals Cid at Thu, 2003/04/10 - 5:00am

100% free like the free beer :)


By Anton Velev at Thu, 2003/04/10 - 5:00am

I agree. My company already buys licenses for Photshop/Win.
If there was a Photoshop/Linux we certainly would buy some.
We would even pay for a GIMP which runs in a _single_ window!
GIMP's user interface is really awful. And please don't keep telling me
that it's in fact a good idea to have thousands of separate cluttered windows,
no reasonable menu bar, and a stone-age file open dialog. I bet no
UI expert has ever seen that thing or he would've dropped dead on the spot.
I know, with GNOME the thousands of windows would be managed by the
window manager. That's what they keep telling us. But I don't use GNOME.
And I don't want to use it because otherwise my whole desktop would have a UI
like GIMP. Those GNOME folks are real nerds IMO. They can create programs
with an amazing bunch of functions but no decent UI at all. And the best thing
is: They really thing it's great. Muahaha! No way - I don't want to go back
to Windows 2.0 UI only because they say it's faster and simpler. It's not.
Unfortunately there are not many alternatives. Some of them don't support
PSD files and others (like Corel PhotoPaint for Linux) are so dead slow that you
rather boot to windows, edit your picture, and boot back to linux.
What's really missing is a KDE photo editor with PSD support.
Krita is dead. So what has happened to Mosfet Paint BTW?


By Jim at Thu, 2003/04/10 - 5:00am

I don't agree much on the need of a new interface for Gimp, but it's true that sometimes one can get lost on so many windows, that lose focus.... Isn't there an easy way to have them all in focus before the rest of the apps?

>So what has happened to Mosfet Paint BTW?

http://lists.kde.org/?l=kde-devel&m=104999312425319&w=2


By Unai at Thu, 2003/04/10 - 5:00am

Reeeaaallly off-topic but:

Well, yes.. Gimp can get cluttered by multiple windows but does it really help to unclutter the windows if you have a big window under them all (ala. Photoshop) ?
Well, maybe in Windows where you don't have Virtual Desktops. Gimp is developed for Linux where Virtual Desktop has been available for virtually always. But, yes.. if Adobe releases Photoshop for Linux it will be on our companys computers. Gimp just isn't there yet but it is still a very good program.


By Ka-ael at Fri, 2003/04/11 - 5:00am

There is a standard answer to this standard whining:

get better window manager!


By hober at Fri, 2003/04/11 - 5:00am

1. You did not read my post. I know this.
2. Virtual Desktops != Single Desktop with multiple windows
in terms of usability


By Jim at Fri, 2003/04/11 - 5:00am

1. The standard answer to this whining is by people who don't do more with gimp than gif animations for their personal homepage

2. KDE is a very nice window manager don't you think?

I think most people who defend Gimp are loudmouths. I am trying to actually USE this program in game development, and you know what? It sucks. Currently, Linux has NO gfx app. That's the truth. Unless you consider KPaint a Deluxe Paint killer.


By m0ns00n at Sun, 2003/04/13 - 5:00am

> We would even pay for a GIMP which runs in a _single_ window!

Sorry to have to tell you this, but X simply will NOT work that way!

--
JRT


By James Richard Tyrer at Sun, 2003/04/20 - 5:00am

umm, X neither works like that or doesn't.


By fault at Sun, 2003/04/20 - 5:00am

I tried using GIMP. It's crap. You're right on with the interface. Damn that thing is horrid. Ironic that a program for graphic manipulation and graphic design would have the all the beauty and grace of a severed limb.

I really like what the program can do, but I don't like the billion+1 window arrangement or the trillions of dialog boxes.


By Richard Bollinger at Fri, 2005/03/04 - 6:00am

I didnt say that no one would buy Photoshop.. but there are more than enough people like me, who use the Gimp like 10 times a year and certanily don't want to pay 500 bucks for it...


By AC at Fri, 2003/04/11 - 5:00am

so how could we get it for free????


By dman at Sat, 2004/01/31 - 6:00am

Nonsense... Adobe may think about a QT-based Acrobat Reader... but that's it for now. Don't ever dream of a company like Adobe tiing one of their major products (like Photoshop) to the small Trolltech company... Maybe Adobes developers really think QT is a cute thingy and maybe more fun to program in than Visual C++'s native classes but the strategists at Adobe will strongly advice against porting Photoshop to QT for one simple reason: A major rewrite of tons of code could only be done once (even by a big company like Adobe). If something goes wrong, there will be no way back (you can not afford to loose _two_ release cycles just with ports and rewrites and no feature additions)


By thomas at Thu, 2003/04/10 - 5:00am

Actually if Adobe chooses QT as their toolit for Photoshop and their other products they can only win because as we know they are anow maintaing Mac and Win32 version of their product. And if they choose QT they will maintain only one version for all platforms.


By Anton Velev at Thu, 2003/04/10 - 5:00am

Right. In addition, considering they are already maintaining seperate versions for Windows and Macs, they have already built an abstraction layer. All they have to do is create a version of that abstraction layer for Qt. That's not difficult at all. This would also open up a whole nother market for them: Unix/Linux users.

Guess what, science labs all over the world have been moving to linux (especially for linux clusters) and scientists do use photoshop to work on the images generated by their expiriments. I rather doubt they'll pay Trolltech for Qt use for Windows and Macs, considering they already have code written for both platforms. However, programming with Qt is extremely easy, definitely WAY easier than M$'s bug-ridden MFC crap.


By Mike at Fri, 2003/04/11 - 5:00am

Or, maybe, they have an abstraction layer and they want to get rid of it because it sucks and/or maintaining it costs more money than Qt licenses...


By AC at Fri, 2003/04/11 - 5:00am


By sith at Sun, 2003/04/13 - 5:00am

I got nothing new from

cvs update -r KDE_3_1_1_RELEASE

and could find no tag to use in webcvs (perhaps because of propagation delays). What is the correct cvs tag to use for the 3.1.1a release? I can make the obvious guess, but I would prefer the definitive answer instead.


By Alan W. Irwin at Thu, 2003/04/10 - 5:00am

It doesn't seem to be tagged yet but you can use

cvs update -r KDE_3_1_BRANCH

instead


By Waldo Bastian at Thu, 2003/04/10 - 5:00am

Well, that seems to update *lots* of stuff. More than the mere patch files contain.

And (offtopic): I generally think that the CVS tags (Releases and branches) should be
documented a little better. It's not clear wether KDE_X_Y_BRANCH is the same as the
latest KDE_X_Y_Z_RELEASE. Also, tags for KDE and KOffice are interweaved within
kde-i18n. IMHO, files not belonging to core kde shouldn't go into kde-i18n.

Regards,
Kili


By Matthias Kilian at Sat, 2003/04/12 - 5:00am

Hi

Since I upgraded to MDK 9.1 and compiled QT 3.1.2 and KDE 3.1.1 I have had a lot of hangs in KDE. I think it has to do with a hell of a lot of debug output to every file defined as errfile in the /etc/X11/Xsession ($HOME/.xsession-errors and /tpm/xses-$USER).
It also starts generationg a lot of .fonts-cache.XXXXX files in my home-dir and the same files in /tmp but here they are called .resolv.conf.XXXXX. This font thingy seems to happen when I turn on preview of text files in konqueror.
The comands writing this crap to disk is kdDebug, kdWarning, kdError and kdFatal defined in /kdelibs-3.1.1(a)/kdecore/kdebug.h(cpp)???

Regards
Håvard


By Håvard Røkkum at Fri, 2003/04/11 - 5:00am

"Since I upgraded to MDK 9.1 and compiled QT 3.1.2 and KDE 3.1.1 I have had a lot of hangs in KDE."

Where is your source from? Are they the hacked MDK SRPM's, or are they the "real" source tarballs from like ftp.kde.org?


By Xanadu at Mon, 2003/04/14 - 5:00am

Hey, is it just me, or since I upgraded kdebase and kdelibs to 3.1.1a a very annoying bug in konqueror has disappeared. I mean now I can click the middle button on a link in a webpage and a new tab pops up immediately without waiting to contact the server. Since my internet connection is not very fast (115kbps) I often had to wait a while until a new tab was spawned and only then continue middle-clicking. I use tabbed browsing a lot, for instance when I am browsing sites like kde-look.org I always open screenshots in new tabs. With this bug konqueror was less comfortable to browse with than mozilla. And now the bug is gone!
WHOA!!! COOL!!!


By Blazej F. at Sat, 2003/04/12 - 5:00am

It's true, tabs are now fastest, and this improves konqueror a lot. Can i say thanks to the security bug ? ;)


By Alexander Perez at Sat, 2003/04/12 - 5:00am

Where is it? :-D


By Anne-Marie Mahfouf at Tue, 2003/04/15 - 5:00am