KDE 3.0.4: Fourth Enhancement Release (And Two Security Advisories)

The KDE Project today
the release of KDE 3.0.4.
Besides a number of usability and stability enhancements,
it provides two important security
corrections. The first corrects the file sharing program KPF, which
since KDE 3.0.1 has permitted a remote user to retrieve any file
readable by the user running KPF
The second corrects the PostScript® / PDF viewer KGhostView, which since KDE 1.1
permits carefully-crafted PostScript and PDF files to execute arbitrary
If you cannot upgrade to KDE 3.0.4, which is strongly recommended,
you should immediately stop using both KPF and KGhostView.


Finally, some real KDE news for our friends at L&M!

Good job guys, glad to see KDE 3.0.x so well maintained.

By Navindra Umanee at Wed, 2002/10/09 - 5:00am

Incredible. The quality and consistency of the KDE project is just amazing. Thanks to all our hard working project members (coders and otherwise!) that *continue* to produce the best damn desktop available.

Three cheers,


By Eron Lloyd at Wed, 2002/10/09 - 5:00am

thanx for doing such a good job. kde is great!
and for just don't hiding bugs and doing much blabla - just fixing that stuff (great to see this probs in beta stage).

greeting gunnar

By gunnar at Thu, 2002/10/10 - 5:00am

i wondering about making a whole kde release for only a security patch !!!

By Mohasr at Thu, 2002/10/10 - 5:00am

By JC at Thu, 2002/10/10 - 5:00am

And what about people upgrading from KDE2, Gnome or Windows?

It's much better to give them 3.0.4 than 3.0.3 plus patches.

By Roland at Thu, 2002/10/10 - 5:00am

Well Done!!!

KDE is the best.

Coomsie :3)

By Coomsie at Thu, 2002/10/10 - 5:00am

Why is it that a security fix is a whole new release? I guess they are pretty major security releases, but it seems that everytime I try to upgrade my KDE, it crashes. This one is no different. Upgrading Mdk 8.2 with KDE 3.0 installed, trying to upgrade to 3.04 (this one). Seemed to install fine using the RPMs and urpmi. Logged out and logged back in and things looked good, but then Kalarm crashed. I started Korganizer. It started fine, but then when I tried to add an event, it crashed. Got it to output the debugging symbols and went to view them using Kwrite, but it crashed when I tried to save them. Crash, crash, crash. I finally completely uninstalled KDE and then reinstalled KDE3.0, after I installed KDE 2.2.2. Don't ask, I was fighting with KDE3.0 all night just to get back to where I was this afternoon. This is a work machine and I need it for work. But I love KDE so damn much that I eargerly await the next release so I can try to upgrade again. :-)

By Anonymous at Thu, 2002/10/10 - 5:00am

Install from source, don't count on [first week] distributor packages.

By Anonymous at Thu, 2002/10/10 - 5:00am

Better; use Gentoo (www.gentoo.org). It's a source based distro so no RPM-dependancy-hell. You don't have to do anything manually just type "emerge kde" and you can enjoy the latest and greatest. Besides the ease of package management Gentoo has a lot of great packages e.g. Unreal Tournament 2003. With one command you can enjoy this great game.

By John Herdy at Thu, 2002/10/10 - 5:00am

props to John, gentoo *ROCKS*
I tried to do the same with Slackware and scripts, but gentoo does everything right, and is easy to admin too.

By philip howells at Fri, 2002/10/11 - 5:00am

Perhaps you should try a different distro? I can almost guarantee that when the Debian packages are out, they'll install perfectly first time.

By Jon at Thu, 2002/10/10 - 5:00am

"I can almost guarantee that when the Debian packages are out, they'll install perfectly first time."

Yeah, and it seems that we will be getting Debian-packages for KDE3 sometime in 2004

By Janne at Thu, 2002/10/10 - 5:00am

> Yeah, and it seems that we will be getting Debian-packages for KDE3 sometime in 2004

Debian packages are already avaiable, for Woody (stable) and Sid (unstable):


By debs at Thu, 2002/10/10 - 5:00am

Official packages? To my knowledge, there are un-official packages available, but no official-ones.

By Janne at Thu, 2002/10/10 - 5:00am

Most of them are done by the packagers that do the official packages, so that's official enough for me :-)
They are just not uploaded to the debian servers.

I read that the real official packages are postponed to the GCC3.2 switch.


By Kevin Krammer at Fri, 2002/10/11 - 5:00am

I used RPMs because it is the swiftest way to update.
Then I notice that things don't work as they should and commence to exchange
packages. Mostly after arts, kdelibs and kdebase the distribution-specific
"bugs" are less annoying.
Though... upgrading from sources has always produced the most satisfactory results.

By Monster at Thu, 2002/10/10 - 5:00am

If you don't care about the security patch, why are you even upgrading KDE and complaining that it's a new release.


By fault at Thu, 2002/10/10 - 5:00am

Exactly the same problem on Mandrake 8.2 with all MDK updates applied.

I've upgraded (with RPM) from KDE3.0.1 to KDE3.0.4 today. urpmi installed without problem.

- KControl can't be launched (immediate crash).
- KMail crashes if you go to its configuration or try to do a new mail (!)
- Konqueror crases (I searched "crash" in this page, and after the last occurence, it crashed, several times)

I even created a blank new user, with no ~/.kde related directories, and without /tmp/kde related files or directories : it didn't got better.

I give up. I'll try to go back to KDE3.0.1 if I can. And maybe put away Mandrake as a linux distribution, because I do not trust it anymore, and because I'm fed up with its unstable features.

I only hope KDE will work smoothly on the new distrib I'll choose, because I've becomed a Konqueror and KMail addict!

By Mathieu Bois at Fri, 2002/10/25 - 5:00am

Personally advice that should not play on a work machine unless u are sure there is no harm to data. A way to prevent this is to partition some directory into separate partition.

I done by this:

/dev/hda1 - /boot
/dev/hda2 - swap
/dev/hda3 - /
/dev/hdb1 - /var
/dev/hdb2 - /usr/local
/dev/hdb3 - /home
/dev/hdb4 - /work

what happened before i post this thread is my Mozilla 1.2b drive me crazy with tons of problems and bugs, so what I did was to uninstall Mozilla 1.2Xft (that including my earlier version, because it was done by upgrading from default shipped Mozilla 1.0.1 -> Mozilla 1.1 -> Mozilla 1.2b), this also caused Galeon and Evolution to gone due to dependencies.

One good plan was my settings, mails, profiles, bookmarks was retained and when I reinstall from Redhat package installer with Mozilla, Galeon and Evolution, everything is exactly the same...

Cool Redhat 8......very cool....

By Neo Gigs at Tue, 2002/10/29 - 6:00am

It would be annoying enough executing malicious code as an ordinary user... but as root.

By Corba the Geek at Thu, 2002/10/10 - 5:00am

For KDE 3.0.3, RedHat binaries have been shipped.
Is this no longer done for 3.0.4 or will they shipped later?

By Scotty at Thu, 2002/10/10 - 5:00am

Ask RedHat. KDE is not providing any binary packages (how many times must this be repeated?).

By L.Lunak at Thu, 2002/10/10 - 5:00am

Sorry, but see http://www.kde.org/info/3.0.3.html - (unofficial!) Redhat packages had been provided under http://download.kde.org/stable/3.0.3/contrib/RedHat/7.3/ !?!

I know that Redhat is packaging KDE different from KDE - the "unofficial" release was following the KDE-packaging policy and I have installed those on my RHL7.3 bases system.

By Scotty at Thu, 2002/10/10 - 5:00am

The "onofficial" means that a volunteer has provided them.

By Sad Eagle at Fri, 2002/10/11 - 5:00am

RedHat does not provide KDE updates in general.

They support Gnome instead.

Take a look at distributions that provide KDE packages on regular basis. These are mentioned at the release page.

Personally I'm using Debian, and it works fine. Upgrading is simple as 'apt-get upgrade kde'


By Tapio Kautto at Fri, 2002/10/11 - 5:00am

I am running KDE 3.1 beta 2 on Mandrake 8.2. I am wondering if I can/should update(?) to this from KDE 3.1 beta 2. Any suggestions/comments ?

By _deadfish at Thu, 2002/10/10 - 5:00am

3.0.x releases are bug and security fix releases. All the changes versus 3.0.3 are either fixes to the existing code or fixes that are in 3.1.x, backported to the older code.

So I'd say you already have the updates over 3.0.3. The security advisories don't say that the 3.1 tree is affected.


By Will Stephenson at Thu, 2002/10/10 - 5:00am

3.1 beta2 is also affected by both the security issues. Either patch your source or stop using the two affected programs.

By fl0yd at Thu, 2002/10/10 - 5:00am

The KGhostview buffer overflow was fixed September 26 [1]. It looks like the fix was included in 3.1 Beta 2.

The file sharing security hole appears to have been fixed October 7 [2], so the exploit would still exist in 3.1 Beta 2.


[1] http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdegraphics/kghostview/ps.c

[2] http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdenetwork/kpf/src/

By Jiffy at Fri, 2002/10/11 - 5:00am

I switched from GNOME 2.1 (CVS) to KDE 3.1 (CVS) yesterday and went to the Bank for a 20€ donation today. Thank you for such a cool Desktop Environment. It's the first time that I ever donated for something. Not even GNOME got a penny from me but after I played with KDE I said 'wow' this is worth it.

By Charly at Thu, 2002/10/10 - 5:00am

AWESOME... I think that everyone should follow your examble! Myself included! Ill go to the bank on the 1/11.

All Thumbs Up Charly!


By kidcat at Mon, 2002/10/21 - 5:00am

Sorry if this question is lame, but Iv been using Linux for about 1 week ( when I decided to reformat my windows only hd and install Linux instead ) and have already experienced problems with it. But if I download RPM or try to compile from source, will it be like I just upgraded my KDE or will everything ( desktop backgrounds, themes, configs, programs installation ) be erased ?

By Gilles Leblanc at Thu, 2002/10/10 - 5:00am


user related configuration stays as is but it may be possible that structures within the configuration itself has changed so you may need to adjust some of your settings. this is only a valid statement if you switch e.g. from kde 3.0.x to 3.1.x. but nothing of your configuration get erased.

prgrams, desktop backgrounds, themes etc. this also depends some themes and backgrounds may be stored in your homedir and some are globally installed.

By Klapper at Thu, 2002/10/10 - 5:00am

I have actually found that some apps change their config files so the application looks strange or misses features.

When I upgraded from CDBakeoven from 1.8.9 to the cvs version in kdeextragear-1 (check it out of you haven't done it already) it refused to use mpg123/ogg123 before I deleted the config file .kde/share/config/.rc. This also applies to Quanta3 and Kate.

This will not be a problem when upgradeing from 3.0.3 to 3.0.4, but is a good tip if you upgrade to a new major release (usually a bigger main number, y in x.x.y is a small fix and x.y simply y. is a big thing).

Also, I experienced (fx when recompileing Kde3Beta2 with a new compiler) that the KDE temp files in /tmp (or /var/tmp depending) needs to be deleted when upgradeing.

By Øyvind Sæther at Fri, 2002/10/11 - 5:00am

It shouldn't, since it's a bugfix-and-minor-improvements only update. All version bearing the same minor version number (the order is major.minor.bugfix, so we're talking about kde 3.0.x) should be exchangeable. A different story are minor version number changes, e.g when upgrading from 2.1 to 2.2, not all the settings seemed to have made it (though most did). The same is true for major number updates (e.g. 2.2.2 -> 3.0.0).

Talking about programs, all kde programs should reside in /opt/kde or /usr, along with their default settings. Your personal settings are stored in /home//.kde/share/config . If things go wrong, you will be reverted to the app's default settings. But as I said, a bugfix update should pose no problems at all (of course, mistakes happen).

Having said that, I would recommend you to (1) install from RPM because it's easier, and (2) wait for two weeks before upgrading. A lot early vendor packages have their glitches, but they are usually sorted out after some time.

By Anno v. Heimburg at Fri, 2002/10/11 - 5:00am

Thanks for the replies :)

By Gilles Leblanc at Fri, 2002/10/11 - 5:00am

I know this is a Mandrake question, but I hope some Mdk user can answer.
When you upgrade KDE with the binaries provided in kde.org ... do you lose
your settings ? (such as Mandrake Menues, Login Manager (KDM) configuration,
etc. ?) I am planning to upgrade the Mandrake 9.0 binaries ...

Many thanks !

By NewMandrakeUser at Thu, 2002/10/10 - 5:00am

I just upgraded using the MDK binaries in Cooker. I used the Upgrade tool and everything installed fine.


By Will at Thu, 2002/10/10 - 5:00am

Thank you Will,

same excellent luck with the 9.0 binaries. I had to use --nodeps because of a TiMidity++ conflict, but Timidity is still running after the upgrade, it was just the way it was packaged (probably requiring kdemultimedia == 3.0.3) :-)

And Thank You MANDRAKE

By NewMandrakeUser at Thu, 2002/10/10 - 5:00am

This was very helpful

I'm a linux sysadmin and my current project is porting KDE to win32 os. I haven't been able to find a HOWTO on compiling the code in Visual Basic yet but when I do I'll release it under the GPL

By Sir Bard at Thu, 2002/10/10 - 5:00am

why using kde on win32?
i dont understand... better running win in vmware under kde ;-)


By gunnar at Fri, 2002/10/11 - 5:00am

Are you sure you didnt mean compiling the code in Visual C++.
Or do :
A : you actually think that you can compile C code in VB
B : Im actually so dumb I think it can`t be done but it can
C : you just posted this post to see who would bite

By Gilles Leblanc at Fri, 2002/10/11 - 5:00am

check out his comment on "ill license it GPL".. this gotta be a bogus!


By kidcat at Mon, 2002/10/21 - 5:00am

You mean like the folks at kde-cygwin.sf.net ?
Why aren't you working with them?


By Kevin Krammer at Fri, 2002/10/11 - 5:00am


By Frank Becker at Fri, 2002/10/11 - 5:00am

Great news! Thank you..... I'm a Win32 user and this would be absolutely great!
Maybe on msdn (http://msdn.microsoft.com/) you can find more help about the KDE/Visual Basic stuff.

Hope it helps.

By Bill G. at Thu, 2002/10/10 - 5:00am

I've put together some kde 3.0.4 RPMS for RedHat 7.3 (they *may* work on RedHat 7.2, but that is untested).

See the posting on pclinuxonline.com for details: http://www.pclinuxonline.com/modules.php?name=News&file=article&sid=3541

Even More details are available on my website:


-- Rex

By Rex Dieter at Thu, 2002/10/10 - 5:00am

I installed those on Red Hat 7.2, got it working without too much hassle, and (except a few minor glithces) it works well. Feels quite snappy too; programs start fast etc.

By Joni at Sat, 2002/10/12 - 5:00am