Security: Advisories for Kate and Kopete

Two security advisories have been issued this week. The first affects Kate and KWrite as shipped with KDE 3.2.x up to including 3.4.0: backup files are created during saving with default permissions, even if the original file had more strict permissions set. The second affects Kopete as included in KDE 3.2.3 up to including KDE 3.4.1: the included copy of libgadu, if installed, can lead to integer overflows and remote DoS or arbitrary code execution.

Dot Categories: 

Comments

by CJ (not verified)

So lets wait for the Service Pack. :)

by lemmy (not verified)

and are there really people using it?

by Andre Somers (not verified)

It's quite popular in eastern Europe, or so I am told.

by SuSE_User (not verified)

I use Kopete a bunch to talk with those on the MSN network, but no, I have not heard of Gadu Gadu. MSN, IRC, Jabber, Yahoo!, and AIM are what I know (yes, Kopete does not do IRC, Konversation does, but it's what I know.)

by cm (not verified)

> yes, Kopete does not do IRC

It does.

by bungy (not verified)

http://en.wikipedia.org/wiki/Gadu_Gadu

Few millions of (mostly) teenagers use that proprietary protocol. Service owners are making business by pushing advertisements aimed mostly at kids. Since their server is centralized, it crashes sometimes. In fact nobody knows why this is so popular then; I suppose teenagers are more happy with their displays filled with ads... :)
Historical reasons are most obvious answer though...

by disapointed user (not verified)

ads?
talk to millions of stupid dumb people that use aol's instant messenger that has least features, has ugliest and dumbest interface, and has the most annoying sound out of all messengers. yet there are tons of people that use it?
perhaps this is telling us something - most people are real morons :)

if you don't agree, go back and look at icq. it was the best messenger and the original one. it had tons of features. it had a kick ass interface. aol bought it and they screwed up the whole thing...now its nothing more than stupid aol.
only thing that icq has still that is better than any other messenger out there is the fact that it uses unique numbers instead of nick names. so you can pick whichever name and nick you want and you don't have to remember dumb nick names such si ")($mda9#lad_91291".

plus icq has badass search features. you can search by country, city, state, zip code, sex!, interests, etc, etc. in aol you can only search by that stupid nickname. so retarded.

and yes, i on purpose did not use any capitalization in this post. i figure that more aol users will understand this better that way. i couldn't bare not to use punctuation though!

by Ian Monroe (not verified)

Um, you don't pick your IM protocol, your friends pick it for you.

Which is why its nice to have clients like Kopete. :)

by ac (not verified)

not always right. I'm partly successful in convincing my friends to switch to jabber. :-)

but it's surely good to have kopete to chat to the rest I haven't convinced yet...

by Scott Wheeler (not verified)

> perhaps this is telling us something - most people are real morons :)

I know you're just making a crack here, but since this is a common sentiment, it deserves debunking.

Most people don't care about technology at the level that say, readers of the Dot do. I'm sure auto mechanics sit around and talk about how stupid most people are when they can't figure out that the X-Blah '05's engine is a piece of crap. But those people (i.e. most of us) aren't morons, they just don't care.

It's the same with messaging protocols or operating systems or desktop environments or whatever. Most people just don't care. People generally don't ask, "Do I have access to the source?" or "What's the user name storage scheme?" It's more like, "Can I talk to Bob using that?" or "Can I open the things my mom sends me?"

by Christian Loose (not verified)

Not to forget: "PC magazin XY said that the app is cool and it even had the current version on CD".

by divide (not verified)

I use it.

It has many features that ICQ is praised below: unique numbers as user ID (unfortunately, recently they have started reusing dead numbers, I've been bitten by it (talking to somebody I've thought was my long-unseen friend)), searching by sex, age, location, first name AND the nickname.

Teenagers are fun sometimes, too ;->

by divide (not verified)

s/below/above/

Also, keep in mind that only the original client software shows the ads. All the others, including many open source ones (and there are many, multi-ones: Kopete, Miranda and dedicated: Kadu, EKG, Gnu Gadu, freegg; also there is Jabber transport for it, available, IIRC, on jabber.org.pl) don't do it.

Smart masses use the unofficial ones, that goes without saying ;-)

by divide (not verified)

Replying myself for the second time ;-)

I forgot Gaim, of course.

Also cool feature related to gadu-gadu (though perhaps in a convoluted manner) is standard encryption, which is encapsulated in open-source library libsim (IIRC). Although it's hardly official (the original client doesn't offer encryption), most alternative clients have the support built-in; so that one can have secure chats (as in: not cleartext, at least; ensuring all authenticity, integrity, non-replayability and secrecy on an asynchronous medium IM is is not that easy, and libsim certainly has its deficiencies) without the need to mix and match clients and plugins to get them to cooperate.