KDE 3.0.4: Fourth Enhancement Release (And Two Security Advisories)
Thursday, 10 October 2002 | Dre
The KDE Project today announced the release of KDE 3.0.4. Besides a number of usability and stability enhancements, it provides two important security corrections. The first corrects the file sharing program KPF, which since KDE 3.0.1 has permitted a remote user to retrieve any file readable by the user running KPF (security advisory). The second corrects the PostScript® / PDF viewer KGhostView, which since KDE 1.1 permits carefully-crafted PostScript and PDF files to execute arbitrary code (security advisory). If you cannot upgrade to KDE 3.0.4, which is strongly recommended, you should immediately stop using both KPF and KGhostView.
Comments:
ha! - Navindra Umanee - 2002-10-09
Finally, some real KDE news for our friends at L&M! Good job guys, glad to see KDE 3.0.x so well maintained.
I'd just like to say... - Eron Lloyd - 2002-10-09
Incredible. The quality and consistency of the KDE project is just amazing. Thanks to all our hard working project members (coders and otherwise!) that *continue* to produce the best damn desktop available. Three cheers, Eron
thanx - gunnar - 2002-10-10
thanx for doing such a good job. kde is great! and for just don't hiding bugs and doing much blabla - just fixing that stuff (great to see this probs in beta stage). greeting gunnar
=) - Mohasr - 2002-10-10
i wondering about making a whole kde release for only a security patch !!!
Re: =) - JC - 2002-10-10
Only a security patch ? Watch http://www.kde.org/announcements/changelogs/changelog3_0_3to3_0_4.html
Re: =) - Roland - 2002-10-10
And what about people upgrading from KDE2, Gnome or Windows? It's much better to give them 3.0.4 than 3.0.3 plus patches.
Well Done - Coomsie - 2002-10-10
Well Done!!! KDE is the best. Cheers Coomsie :3)
Crashed my box - Anonymous - 2002-10-10
Why is it that a security fix is a whole new release? I guess they are pretty major security releases, but it seems that everytime I try to upgrade my KDE, it crashes. This one is no different. Upgrading Mdk 8.2 with KDE 3.0 installed, trying to upgrade to 3.04 (this one). Seemed to install fine using the RPMs and urpmi. Logged out and logged back in and things looked good, but then Kalarm crashed. I started Korganizer. It started fine, but then when I tried to add an event, it crashed. Got it to output the debugging symbols and went to view them using Kwrite, but it crashed when I tried to save them. Crash, crash, crash. I finally completely uninstalled KDE and then reinstalled KDE3.0, after I installed KDE 2.2.2. Don't ask, I was fighting with KDE3.0 all night just to get back to where I was this afternoon. This is a work machine and I need it for work. But I love KDE so damn much that I eargerly await the next release so I can try to upgrade again. :-)
Re: Crashed my box - Anonymous - 2002-10-10
Install from source, don't count on [first week] distributor packages.
Re: Crashed my box - John Herdy - 2002-10-10
Better; use Gentoo (www.gentoo.org). It's a source based distro so no RPM-dependancy-hell. You don't have to do anything manually just type "emerge kde" and you can enjoy the latest and greatest. Besides the ease of package management Gentoo has a lot of great packages e.g. Unreal Tournament 2003. With one command you can enjoy this great game.
Re: Crashed my box - philip howells - 2002-10-11
props to John, gentoo *ROCKS* I tried to do the same with Slackware and scripts, but gentoo does everything right, and is easy to admin too.
Re: Crashed my box - Jon - 2002-10-10
Perhaps you should try a different distro? I can almost guarantee that when the Debian packages are out, they'll install perfectly first time.
Re: Crashed my box - Janne - 2002-10-10
"I can almost guarantee that when the Debian packages are out, they'll install perfectly first time." Yeah, and it seems that we will be getting Debian-packages for KDE3 sometime in 2004
Re: Crashed my box - debs - 2002-10-10
> Yeah, and it seems that we will be getting Debian-packages for KDE3 sometime in 2004 Debian packages are already avaiable, for Woody (stable) and Sid (unstable): http://download.au.kde.org/pub/kde/stable/3.0.4/Debian/
Re: Crashed my box - Janne - 2002-10-10
Official packages? To my knowledge, there are un-official packages available, but no official-ones.
Re: Crashed my box - Kevin Krammer - 2002-10-11
Most of them are done by the packagers that do the official packages, so that's official enough for me :-) They are just not uploaded to the debian servers. I read that the real official packages are postponed to the GCC3.2 switch. Cheers, Kevin
Re: Crashed my box - Monster - 2002-10-10
I used RPMs because it is the swiftest way to update. Then I notice that things don't work as they should and commence to exchange packages. Mostly after arts, kdelibs and kdebase the distribution-specific "bugs" are less annoying. Though... upgrading from sources has always produced the most satisfactory results.
Re: Crashed my box - fault - 2002-10-10
If you don't care about the security patch, why are you even upgrading KDE and complaining that it's a new release. pffah
Re: Crashed my box - Mathieu Bois - 2002-10-25
Exactly the same problem on Mandrake 8.2 with all MDK updates applied. I've upgraded (with RPM) from KDE3.0.1 to KDE3.0.4 today. urpmi installed without problem. But: - KControl can't be launched (immediate crash). - KMail crashes if you go to its configuration or try to do a new mail (!) - Konqueror crases (I searched "crash" in this page, and after the last occurence, it crashed, several times) I even created a blank new user, with no ~/.kde related directories, and without /tmp/kde related files or directories : it didn't got better. I give up. I'll try to go back to KDE3.0.1 if I can. And maybe put away Mandrake as a linux distribution, because I do not trust it anymore, and because I'm fed up with its unstable features. I only hope KDE will work smoothly on the new distrib I'll choose, because I've becomed a Konqueror and KMail addict!
Re: Crashed my box - Neo Gigs - 2002-10-29
Personally advice that should not play on a work machine unless u are sure there is no harm to data. A way to prevent this is to partition some directory into separate partition. I done by this: /dev/hda1 - /boot /dev/hda2 - swap /dev/hda3 - / /dev/hdb1 - /var /dev/hdb2 - /usr/local /dev/hdb3 - /home /dev/hdb4 - /work what happened before i post this thread is my Mozilla 1.2b drive me crazy with tons of problems and bugs, so what I did was to uninstall Mozilla 1.2Xft (that including my earlier version, because it was done by upgrading from default shipped Mozilla 1.0.1 -> Mozilla 1.1 -> Mozilla 1.2b), this also caused Galeon and Evolution to gone due to dependencies. One good plan was my settings, mails, profiles, bookmarks was retained and when I reinstall from Redhat package installer with Mozilla, Galeon and Evolution, everything is exactly the same... Cool Redhat 8......very cool....
[OT] Hmmm. I wonder if Lindows uses KGhostview.. - Corba the Geek - 2002-10-10
It would be annoying enough executing malicious code as an ordinary user... but as root.
No RedHat binary release any more - Scotty - 2002-10-10
For KDE 3.0.3, RedHat binaries have been shipped. Is this no longer done for 3.0.4 or will they shipped later?
Re: No RedHat binary release any more - L.Lunak - 2002-10-10
Ask RedHat. KDE is not providing any binary packages (how many times must this be repeated?).
Re: No RedHat binary release any more - Scotty - 2002-10-10
Sorry, but see http://www.kde.org/info/3.0.3.html - (unofficial!) Redhat packages had been provided under http://download.kde.org/stable/3.0.3/contrib/RedHat/7.3/ !?! I know that Redhat is packaging KDE different from KDE - the "unofficial" release was following the KDE-packaging policy and I have installed those on my RHL7.3 bases system. Scotty
Re: No RedHat binary release any more - Sad Eagle - 2002-10-11
The "onofficial" means that a volunteer has provided them.
Re: No RedHat binary release any more - Eleknader - 2002-10-11
RedHat does not provide KDE updates in general. They support Gnome instead. Take a look at distributions that provide KDE packages on regular basis. These are mentioned at the release page. Personally I'm using Debian, and it works fine. Upgrading is simple as 'apt-get upgrade kde' Eleknader
Re: No RedHat binary release any more - look here - Jay S. Curtis - 2002-10-13
Here they are... ftp://ftp.du.se/pub/mirrors/kde/stable/3.0.4/RedHat/7.3/i386/
Can I update my KDE 3.1 beta 2 to this ? - _deadfish - 2002-10-10
I am running KDE 3.1 beta 2 on Mandrake 8.2. I am wondering if I can/should update(?) to this from KDE 3.1 beta 2. Any suggestions/comments ?
Re: Can I update my KDE 3.1 beta 2 to this ? - Will Stephenson - 2002-10-10
3.0.x releases are bug and security fix releases. All the changes versus 3.0.3 are either fixes to the existing code or fixes that are in 3.1.x, backported to the older code. So I'd say you already have the updates over 3.0.3. The security advisories don't say that the 3.1 tree is affected. Will
Re: Can I update my KDE 3.1 beta 2 to this ? - fl0yd - 2002-10-10
3.1 beta2 is also affected by both the security issues. Either patch your source or stop using the two affected programs.
Re: Can I update my KDE 3.1 beta 2 to this ? - Jiffy - 2002-10-11
The KGhostview buffer overflow was fixed September 26 [1]. It looks like the fix was included in 3.1 Beta 2. The file sharing security hole appears to have been fixed October 7 [2], so the exploit would still exist in 3.1 Beta 2. ------ [1] http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdegraphics/kghostview/ps.c [2] http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdenetwork/kpf/src/
Donated for KDE - Charly - 2002-10-10
I switched from GNOME 2.1 (CVS) to KDE 3.1 (CVS) yesterday and went to the Bank for a 20 donation today. Thank you for such a cool Desktop Environment. It's the first time that I ever donated for something. Not even GNOME got a penny from me but after I played with KDE I said 'wow' this is worth it.
Re: Donated for KDE - kidcat - 2002-10-21
AWESOME... I think that everyone should follow your examble! Myself included! Ill go to the bank on the 1/11. All Thumbs Up Charly! /kidcat
If I install kde 3.0.4 will it erase my stuff - Gilles Leblanc - 2002-10-10
Sorry if this question is lame, but Iv been using Linux for about 1 week ( when I decided to reformat my windows only hd and install Linux instead ) and have already experienced problems with it. But if I download RPM or try to compile from source, will it be like I just upgraded my KDE or will everything ( desktop backgrounds, themes, configs, programs installation ) be erased ?
Re: If I install kde 3.0.4 will it erase my stuff - Klapper - 2002-10-10
depends, user related configuration stays as is but it may be possible that structures within the configuration itself has changed so you may need to adjust some of your settings. this is only a valid statement if you switch e.g. from kde 3.0.x to 3.1.x. but nothing of your configuration get erased. prgrams, desktop backgrounds, themes etc. this also depends some themes and backgrounds may be stored in your homedir and some are globally installed.
Re: If I install kde 3.0.4 will it erase my stuff - Øyvind Sæther - 2002-10-11
I have actually found that some apps change their config files so the application looks strange or misses features. When I upgraded from CDBakeoven from 1.8.9 to the cvs version in kdeextragear-1 (check it out of you haven't done it already) it refused to use mpg123/ogg123 before I deleted the config file .kde/share/config/<app>.rc. This also applies to Quanta3 and Kate. This will not be a problem when upgradeing from 3.0.3 to 3.0.4, but is a good tip if you upgrade to a new major release (usually a bigger main number, y in x.x.y is a small fix and x.y simply y. is a big thing). Also, I experienced (fx when recompileing Kde3Beta2 with a new compiler) that the KDE temp files in /tmp (or /var/tmp depending) needs to be deleted when upgradeing.
Re: If I install kde 3.0.4 will it erase my stuff - Anno v. Heimburg - 2002-10-11
It shouldn't, since it's a bugfix-and-minor-improvements only update. All version bearing the same minor version number (the order is major.minor.bugfix, so we're talking about kde 3.0.x) should be exchangeable. A different story are minor version number changes, e.g when upgrading from 2.1 to 2.2, not all the settings seemed to have made it (though most did). The same is true for major number updates (e.g. 2.2.2 -> 3.0.0). Talking about programs, all kde programs should reside in /opt/kde or /usr, along with their default settings. Your personal settings are stored in /home/<username>/.kde/share/config . If things go wrong, you will be reverted to the app's default settings. But as I said, a bugfix update should pose no problems at all (of course, mistakes happen). Having said that, I would recommend you to (1) install from RPM because it's easier, and (2) wait for two weeks before upgrading. A lot early vendor packages have their glitches, but they are usually sorted out after some time.
Re: If I install kde 3.0.4 will it erase my stuff - Gilles Leblanc - 2002-10-11
Thanks for the replies :)
Mandrake rpms keep original settings ? - NewMandrakeUser - 2002-10-10
I know this is a Mandrake question, but I hope some Mdk user can answer. When you upgrade KDE with the binaries provided in kde.org ... do you lose your settings ? (such as Mandrake Menues, Login Manager (KDM) configuration, etc. ?) I am planning to upgrade the Mandrake 9.0 binaries ... Many thanks !
Re: Mandrake rpms keep original settings ? - Will - 2002-10-10
I just upgraded using the MDK binaries in Cooker. I used the Upgrade tool and everything installed fine. Will
Re: Mandrake rpms keep original settings ? - NewMandrakeUser - 2002-10-10
Thank you Will, same excellent luck with the 9.0 binaries. I had to use --nodeps because of a TiMidity++ conflict, but Timidity is still running after the upgrade, it was just the way it was packaged (probably requiring kdemultimedia == 3.0.3) :-) And Thank You MANDRAKE :-)
Very helpful - Sir Bard - 2002-10-10
This was very helpful I'm a linux sysadmin and my current project is porting KDE to win32 os. I haven't been able to find a HOWTO on compiling the code in Visual Basic yet but when I do I'll release it under the GPL
Re: Very helpful - gunnar - 2002-10-11
why using kde on win32? i dont understand... better running win in vmware under kde ;-) gunnar
Re: Very helpful - Gilles Leblanc - 2002-10-11
Are you sure you didnt mean compiling the code in Visual C++. Or do : A : you actually think that you can compile C code in VB B : Im actually so dumb I think it can`t be done but it can C : you just posted this post to see who would bite
Re: Very helpful - kidcat - 2002-10-21
check out his comment on "ill license it GPL".. this gotta be a bogus! /kidcat
Re: Very helpful - Kevin Krammer - 2002-10-11
You mean like the folks at kde-cygwin.sf.net ? Why aren't you working with them? Cheers, Kevin
Re: Very helpful - Frank Becker - 2002-10-11
YHBT. YHL. HAND.
Re: Very helpful - Bill G. - 2002-10-10
Great news! Thank you..... I'm a Win32 user and this would be absolutely great! Maybe on msdn (http://msdn.microsoft.com/) you can find more help about the KDE/Visual Basic stuff. Hope it helps.
kde 3.0.4 RPMS for RedHat 7.3 - Rex Dieter - 2002-10-10
I've put together some kde 3.0.4 RPMS for RedHat 7.3 (they *may* work on RedHat 7.2, but that is untested). See the posting on pclinuxonline.com for details: http://www.pclinuxonline.com/modules.php?name=News&file=article&sid=3541 Even More details are available on my website: http://www.math.unl.edu/~rdieter/ Enjoy. -- Rex
Thanks - Joni - 2002-10-12
I installed those on Red Hat 7.2, got it working without too much hassle, and (except a few minor glithces) it works well. Feels quite snappy too; programs start fast etc.
Re: Thanks - Rex Dieter - 2002-10-12
If you don't mind, could you elaborate on the "few minor glitches" you experienced? Maybe they're fixable... -- Rex
Re: Thanks - Joni - 2002-10-18
Well, some problems with the font under the icons on my desktop; I can't set it to bold anymore. And when I change almost any desktop setting, the icons lose their order and revert to some odd default. Also, I didn't get any graphic (splash screen, whatever) when KDE's starting, until I updated redhat-logos package to a version from 8.0 (and ignored some minor rpm conflicts to do that)... Nothing that big, and I'm not even sure if the fault is in your packages... Overall I'm actually very pleased with this KDE setup. Oh, btw: when I start kword as the user I normally use, I get the following: "Mutex destroy failure: Device or resource busy" With other users it works well. Any ideas? Removing kword's config file under ~/.kde didn't help...
n/m - Joni - 2002-10-18
Never mind that kword question. I got it working by reading my old dot.kde.org postings. (Seems like I had the same problem before.)
Re: n/m - Mario Lombardo - 2003-06-08
I can't find your old post regarding this error with kword, and now I'm having problems with kword on RH8.0 with the error message: Mutex destroy failure: Device or resource busy I did a search for Joni and only three articles came up. None of them had this one that I'm repling to. I actually found this one with Google. Just like you, it works fine with the root account. How did you fix this problem, or can you give me the hyperlink to your post/reply? /mario
Re: Thanks - Rex Dieter - 2002-10-18
1. regarding fonts... Hmm...I'll have to look at this one closer. I've never seen this, but it may be a rh72+XFree4.1 vs rh73+XFree4.2 thing. 2. Re: missing splash screen. Another odd one... my kdebase package has a Requires: for an updated redhat-logos (also in my repository). It (apt) ought to have upgraded this for you automatically. ?? -- Rex
Re: Thanks - Joni - 2002-10-18
Well, I didn't use apt. (I've tried it sometime earlier but have run into problems, IIRC...) Instead I made a script to get all the rpms and then used 'rpm -Fvh'. (Would be easier to get them with wget if you'd have them on ftp server instead of http :) But don't worry about it too much, I got it working anyways.
Re: Thanks - Rex Dieter - 2002-10-18
wget works with for http. I've used it to mirror my site on occasion: wget --mirror http://www.math.unl.edu/linux/redhat/apt/7.3/i386/RPMS.kde3 ought to do the trick. (-: In the meantime, I'm working on trying to enable ftp access as well... and lining up a mirror or two.... Back to apt... it is a wonderful tool, I highly recommend its use... and periodic apt-get update && apt-get upgrade tasks will always keep your box current. If you had problems in the past, please try again. You won't regret it. And if you *do* experience problems, please don't hesistate to send a gripe or two my way... I'd love to have a chance to fix anything that's broken. -- Rex
Re: Thanks - Joni - 2002-10-26
Btw (if this still reaches you), do you know how I could fix this? If I try to view any Help whatsoever in KDE, I get the following: "An error occured while loading help:/khelpcenter/index.html?anchor=welcome: Could not start process Unable to create io-slave: klauncher said: Error loading 'kio_help'." I've been wondering if there's some "kdehelp" RPM package or something missing in my system, but I'm not really sure.
Re: Thanks - Rex Dieter - 2002-10-27
I haven't been able to reproduce this problem. What version of kdebase do you have installed? (rpm -q kdebase to find out). What version of redhat are you using? -- Rex
Re: Thanks - Joni - 2002-10-28
"kdebase-3.0.4-0", i.e. the 3.0.4 package that you built. This box is running (updated) RH 7.2.
Re: Thanks - Rex Dieter - 2002-10-28
I'd recommend you upgrade to the latest version I have available (kdebase-3.0.4-0.73.1.1): apt-get update apt-get upgrade ought to do it. -- Rex
Re: kde 3.0.4 RPMS for RedHat 7.3 - Vilppa - 2002-10-12
Have you got any bad feedback from these rpms on RH 7.3? If you havn't got many severe complaints I'm going to install your packages... Thanks for providing them!
Re: kde 3.0.4 RPMS for RedHat 7.3 - Rex Dieter - 2002-10-12
Nope, no bad feedback... (yet... (-: ). -- Rex
Re: kde 3.0.4 RPMS for RedHat 7.3 - ruud koendering - 2002-10-17
Is there a standard de-install and install script? regrads, Ruud
Enhancement? - Neil Stevens - 2002-10-11
Is "enhancement" Newspeak for "grave security fix?"
Re: Enhancement? - Janne - 2002-10-11
Last time I checked, there are other changes in there besides those two security-fixes.
Re: Enhancement? - Neil Stevens - 2002-10-11
All bugfixes. KDE 3.0.4 comes from the frozen KDE_3_0_BRANCH.
Re: Enhancement? - Janne - 2002-10-11
Yes, so? It says "usability and stability enhancements". Surely bugfixes can be both.
Bug in the KAddressBook - zyzstar - 2002-10-11
Can anybody tell me why the bug in the KAddressBook which doesn't save the column width is still not solved in this release? AFAIK this problem was figured out in the 3.1.x CVS branch - so is it really so hard to backport this fix to the stable 3.0.x tree?
New bugs - antiphon - 2002-10-15
Using SuSE 7.3 RPMs, I've had less luck w/this release. I'm getting memory leaks, Ksysguard applet dies, etc. Also, the Desktop icon grid has been increased to an unreasonable width and height :( I'm going back to 3.03