DEC
22
2002

KDE 3.0.5a: Security Release

The KDE Project today released a
security advisory
affecting all versions of KDE 2 and KDE 3. The advisory is the culmination of
the security audit which delayed
the release of KDE 3.1
until January. The KDE Project strongly encourages all KDE users to upgrade to
KDE 3.0.5a, which was also
announced
today, or to apply the
patches provided
for KDE 2.2.2. Due to the year-end Holidays, few binary packages are
available at this time. Please check
the KDE 3.0.5a information
page
and your vendor's website periodically for available packages.
Note that some vendors are expected to incorporate
the security improvements into new builds of KDE 3.0.5.

Comments

While downloading the source for 3.0.5a and thinking of the long compile ahead on my Athlon 800 (yes, I need to compile, I make modifications to a number of the programs in KDE), I got to realizing that there aren't really that many programs in the base KDE distribution that I use. For example, all I use from kdegames is Shisen-Sho, and all I use from kdenetwork are kmail and kdict.

I was just wondering how hard it would be to be able to do "customized" build, as in: ./configure --enable-apps=kmail,kdict --etc and just compile/install the requested programs. Currently, for kdegames, I just do a make install in libkdegames and kshisen, but that's kind of ugly. I would be eternally grateful if I could pick and choose my base applications, so compile times and disk usage would be greatly diminished.


By KDE User at Sun, 2002/12/22 - 6:00am

Hi!

I just want to make sure: do you know 'setenv DO_NOT_COMPILE 'foo bar ....''?

Andy


By Andy at Sun, 2002/12/22 - 6:00am

You are my hero! Thank you so much.


By KDE User at Sun, 2002/12/22 - 6:00am

As of this writing, Debian packages of KDE 3.0.5a have not yet been uploaded to download.us.kde.org. Debian users who are using something like:

deb http://download.us.kde.org/pub/kde/stable/latest/...

in /etc/apt/sources.list will get an HTTP 404 error when trying to update. Either wait until the Debian packages are updated, replace '/latest/' with '/3.0.5/', or wait until Debian includes KDE 3.x in the distribution (whenever that is...?).


By Ken Arnold at Sun, 2002/12/22 - 6:00am

Why do you use 3.0.5a as version number? Why not 3.0.6?


By Stefan Nikolaus at Sun, 2002/12/22 - 6:00am

If I remember well, KDE_3_0_6 branch was already used in early development of KDE 3.1 ...


By Nicolas Hadacek at Sun, 2002/12/22 - 6:00am

It should be exactly the same as kde-3.0.5 plus the security fixes. No others bug fixes.
May be a kde-3.0.5.1 would be better :-)


By JC at Sun, 2002/12/22 - 6:00am

I got the following error when compiling kdepim:

make[3]: Entering directory `/usr/src/kde-3.0.5a/kdepim-3.0.5a/kalarm'
cp ../kalarmd/alarmguiiface.h .
......
g++ -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../libical/src/libical -I../libical/src/libical -I/opt/kde-3.0.5a/include -I/opt/qt/include -I/usr/X11R6/include -DQT_THREAD_SUPPORT -D_REENTRANT -DNDEBUG -DNO_DEBUG -O2 -fno-exceptions -fno-check-new -c -o kalarm.all_cpp.o `test -f kalarm.all_cpp.cpp || echo './'`kalarm.all_cpp.cpp
In file included from ../libical/src/libical/ical.h:2583,
from alarmcalendar.cpp:40,
from kalarm.all_cpp.cpp:9:
../config.h:201: warning: `VERSION' redefined
kalarm.h:30: warning: this is the location of the previous definition
In file included from editdlg.cpp:35,
from kalarm.all_cpp.cpp:4:
/opt/qt/include/qdir.h:80: parse error before `0'
/opt/qt/include/qdir.h:86: missing ';' before right brace
/opt/qt/include/qdir.h:88: parse error before `('
/opt/qt/include/qdir.h:89: parse error before `const'
/opt/qt/include/qdir.h:91: parse error before `const'
......
/opt/qt/include/qdir.h:128: non-member function `encodedEntryList(int, int)' cannot have `const' method qualifier
/opt/qt/include/qdir.h:130: `DefaultFilter' was not declared in this scope
/opt/qt/include/qdir.h:131: `DefaultSort' was not declared in this scope
/opt/qt/include/qdir.h:131: virtual outside class declaration
/opt/qt/include/qdir.h:131: non-member function `encodedEntryList(const QString &, int, int)' cannot have `const' method qualifier
/opt/qt/include/qdir.h:132: `DefaultFilter' was not declared in this scope
/opt/qt/include/qdir.h:133: `DefaultSort' was not declared in this scope
/opt/qt/include/qdir.h:133: virtual outside class declaration
/opt/qt/include/qdir.h:133: non-member function `entryList(int, int)' cannot have `const' method qualifier
/opt/qt/include/qdir.h:135: `DefaultFilter' was not declared in this scope
/opt/qt/include/qdir.h:136: `DefaultSort' was not declared in this scope
/opt/qt/include/qdir.h:136: virtual outside class declaration
......
/opt/qt/include/qdir.h:230: no `bool QDir::operator !=(const QDir &) const' member function declared in class `QDir'
In file included from /opt/kde-3.0.5a/include/kfiledialog.h:32,
from editdlg.cpp:40,
from kalarm.all_cpp.cpp:4:
/opt/kde-3.0.5a/include/kfile.h: In function `static bool KFile::isSortByName(const QDir::SortSpec &)':
/opt/kde-3.0.5a/include/kfile.h:75: confused by earlier errors, bailing out
make[3]: *** [kalarm.all_cpp.o] Error 1
make[3]: Leaving directory `/usr/src/kde-3.0.5a/kdepim-3.0.5a/kalarm'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/usr/src/kde-3.0.5a/kdepim-3.0.5a/kalarm'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/src/kde-3.0.5a/kdepim-3.0.5a'
make: *** [all] Error 2

Anyone could help?

Linux From Scratch 3.3
GCC 2.95.3


By yellowfish at Sun, 2002/12/22 - 6:00am

Yup, I can confirm.

Either don't configure with --enable-final or move kalarmapp.cpp in the Makefile till after spinbox2.cpp

Cheers,
Waldo


By Waldo Bastian at Mon, 2002/12/23 - 6:00am

Great! I compile sucessfully when configure without --enable-final.
A lot of thanks, Waldo.


By yellowfish at Mon, 2002/12/23 - 6:00am

Krootwarning:
------------------------
'You are running a graphical interface as root.
This is a bad idea because as root, you can damage your system, and nothing will stop you.'
---------------------------------------------------------------------------------------

I am just curious.
Who is the 'nothing' ? Why and when is he going to stop me? After I had damaged my system or maybe before? Is the 'nothing' FBI?

Maybe I am too paranoic. Is it possible to send Kroot's warning to bugs.kde.org for a semantic & syntactic cleanup?


By antialias at Mon, 2002/12/23 - 6:00am

Or maybe... you're using the wrong language? Try .dk for a change.


By anon at Mon, 2002/12/23 - 6:00am

'Or maybe... you're using the wrong language?'

Yes, you're right, I always knew english was the wrong language. And I am sorry if I offended you but I can't stop laughing when I read this one: ' This is a bad idea because as root, you can damage your system, and nothing will stop you.'

'Try .dk for a change.'

Thanks for the advice 'anon. coward'. Ooops, sorry again, you are only 'anon'.

Cheers,

antialias


By antialias at Mon, 2002/12/23 - 6:00am

Dude... Stick to your day job. You will die of hunger as a comedian.


By KamiKaze at Mon, 2002/12/23 - 6:00am

No, it';s not possible to send it to bugs.kde.org because it's not part of KDE. Try https://qa.mandrakesoft.com instead.


By Sad Eagle at Mon, 2002/12/23 - 6:00am

I don't see any errors in this message.


By Beefy at Tue, 2002/12/24 - 6:00am

Dunno if someone has already said this but hats off to the KDE developers for doing the security audit. I'm sure it's not much fun going over all that code looking for these bugs. Their efforts are appreciated by many people I'm sure.

Regards,

Deephack


By Deephack at Mon, 2002/12/23 - 6:00am

There have been no Mandrake Binaries for 3.0.5 or 3.0.5a.
They are usually very prompt in releasing KDE binaries.
Anyone know what happened?

Magnus.


By Magnus Pym at Wed, 2002/12/25 - 6:00am

They probably enjoy their Christmas break. Wait for a few days :-)


By JC at Wed, 2002/12/25 - 6:00am