Security: PS/PDF file handling vulnerability
Thursday, 10 April 2003 | Wbastian
The KDE Security team has issued an advisory on a vulnerability present in all versions of KDE that allow a remote attacker to execute arbitrary commands under your account. KDE 3.0.5b and KDE 3.1.1a have been released to address this problem. For KDE 2.2.2 patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF files in a way that allows for the execution of arbitrary commands that can be contained in such files.
An attacker can prepare a malicious PostScript or PDF file which will provide the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled.
An attacker can provide malicious files remotely to a victim in an e-mail, as part of a webpage, via an ftp server and possible other means.
OS vendors and KDE package providers have been alerted and the we expect them to provide updated binary packages shortly. The following updates are already available from the KDE ftp mirrors:
Note that many also provide updates via their own online update service.Comments:
Updates - Mark Hillary - 2003-04-10
You know what would be nice, is if distributors packaged up a binary update of just what changed. So that we didn't need to download a whole new kde or what ever every time a new release is made. But then maybe I'm only dreaming. :)
Re: Updates - uga - 2003-04-10
That shouldn't be difficult I think. They could just release something called "kde3.1.1secpatch.xxxx.i586.rpm". This would install just that necessary part. The only problem that I find is that this package could have conflicts with other packages, since it's providing the same files. I'm not sure if rpm or other formats admit this kind of overwriting.
Re: Updates - Mark Hillary - 2003-04-10
Maybe its a feature that could be added. To allow a package to assosicated with a differernet package as an update.
Re: Updates - benji weber - 2003-04-10
SuSE do it already
Re: Updates - Anonymous - 2003-04-10
> You know what would be nice, is if distributors packaged up a binary update of just what changed. SuSE's update already uses rpm patches since SuSE 8.0.
Adobe Acrobat for PDF files - Anton Velev - 2003-04-10
Just use the viewer from the creators of the PDF - Adobe Acrobat Reader. There is linux version - very nice one. And something more to add, it seems that Adobe are moving on the curve to start using QT for their products. May be just rumors. However I will not be surprised if next version of Photoshop is QT based and also available for linux - then asta la vista gimp. For making you sure that new QT curve that happens in Adobe is not just rumor (may be it still is) check this: http://www.trolltech.com/newsroom/announcements/00000120.html QT & KDE forever! Use Adobe Acrobat Reader for Linux if you want to view PDFs.
Re: Adobe Acrobat for PDF files - AC - 2003-04-10
I doubt that the Gimp will go away, as it is pretty unlikely that they you will get Photoshop for free :)
Re: Adobe Acrobat for PDF files - Anton Velev - 2003-04-10
Why not to pay money if it's good? Why one things that software should be free? Also we are talking about Adobe Acrobat Reader which is free softare. And something to add about the old topic for adoption of linux as business desktop. Some people beleive that linux can possibly dominate one day on business desktop, with only free software installed. This is total mud. Just impossible. For adoption of one platform as corporate platform some money should be invested and big amount of PROFESSIONAL and COMMERCIAL apps available - like Photoshop. Relating with the current example one professional designer will never use linux before he has programs like Photoshop, CorelDraw etc. And talking about using GIMP for professional work is unserious (not saying that GIMP is unprofessional but far from Photoshop). My sister is professional designer and i tried several times to point her attention to linux and GIMP but unsuccessful, however she appreciate highly the cool design of my KDE desktop. And be sure she would use Linux for professional work if there was available linux version of Adobe Photoshop. Just to mention with wine only 4.0 and 5.0 works fine. Anyway think about it - commercial quality software is needed for linux to konquer the business desktop!
Re: Adobe Acrobat for PDF files - Albert Astals Cid - 2003-04-10
Acrobat Reader is software and it is free, but it is not free software.
Re: Adobe Acrobat for PDF files - Anton Velev - 2003-04-10
100% free like the free beer :)
Re: Adobe Acrobat for PDF files - Jim - 2003-04-10
I agree. My company already buys licenses for Photshop/Win. If there was a Photoshop/Linux we certainly would buy some. We would even pay for a GIMP which runs in a _single_ window! GIMP's user interface is really awful. And please don't keep telling me that it's in fact a good idea to have thousands of separate cluttered windows, no reasonable menu bar, and a stone-age file open dialog. I bet no UI expert has ever seen that thing or he would've dropped dead on the spot. I know, with GNOME the thousands of windows would be managed by the window manager. That's what they keep telling us. But I don't use GNOME. And I don't want to use it because otherwise my whole desktop would have a UI like GIMP. Those GNOME folks are real nerds IMO. They can create programs with an amazing bunch of functions but no decent UI at all. And the best thing is: They really thing it's great. Muahaha! No way - I don't want to go back to Windows 2.0 UI only because they say it's faster and simpler. It's not. Unfortunately there are not many alternatives. Some of them don't support PSD files and others (like Corel PhotoPaint for Linux) are so dead slow that you rather boot to windows, edit your picture, and boot back to linux. What's really missing is a KDE photo editor with PSD support. Krita is dead. So what has happened to Mosfet Paint BTW?
Re: Adobe Acrobat for PDF files - uga - 2003-04-10
I don't agree much on the need of a new interface for Gimp, but it's true that sometimes one can get lost on so many windows, that lose focus.... Isn't there an easy way to have them all in focus before the rest of the apps? >So what has happened to Mosfet Paint BTW? http://lists.kde.org/?l=kde-devel&m=104999312425319&w=2
Re: Adobe Acrobat for PDF files - Ka-ael - 2003-04-11
Reeeaaallly off-topic but: Well, yes.. Gimp can get cluttered by multiple windows but does it really help to unclutter the windows if you have a big window under them all (ala. Photoshop) ? Well, maybe in Windows where you don't have Virtual Desktops. Gimp is developed for Linux where Virtual Desktop has been available for virtually always. But, yes.. if Adobe releases Photoshop for Linux it will be on our companys computers. Gimp just isn't there yet but it is still a very good program.
Re: Adobe Acrobat for PDF files - hober - 2003-04-11
There is a standard answer to this standard whining: get better window manager!
Re: Adobe Acrobat for PDF files - Jim - 2003-04-11
1. You did not read my post. I know this. 2. Virtual Desktops != Single Desktop with multiple windows in terms of usability
Re: Adobe Acrobat for PDF files - m0ns00n - 2003-04-13
1. The standard answer to this whining is by people who don't do more with gimp than gif animations for their personal homepage 2. KDE is a very nice window manager don't you think? I think most people who defend Gimp are loudmouths. I am trying to actually USE this program in game development, and you know what? It sucks. Currently, Linux has NO gfx app. That's the truth. Unless you consider KPaint a Deluxe Paint killer.
Re: Adobe Acrobat for PDF files - James Richard Tyrer - 2003-04-20
> We would even pay for a GIMP which runs in a _single_ window! Sorry to have to tell you this, but X simply will NOT work that way! -- JRT
Re: Adobe Acrobat for PDF files - fault - 2003-04-20
umm, X neither works like that or doesn't.
Re: Adobe Acrobat for PDF files - Richard - 2005-03-04
I tried using GIMP. It's crap. You're right on with the interface. Damn that thing is horrid. Ironic that a program for graphic manipulation and graphic design would have the all the beauty and grace of a severed limb. I really like what the program can do, but I don't like the billion+1 window arrangement or the trillions of dialog boxes.
Re: Adobe Acrobat for PDF files - AC - 2003-04-11
I didnt say that no one would buy Photoshop.. but there are more than enough people like me, who use the Gimp like 10 times a year and certanily don't want to pay 500 bucks for it...
Re: Adobe Acrobat for PDF files - dman - 2004-01-31
so how could we get it for free????
Re: Adobe Acrobat for PDF files - Thomas - 2003-04-10
Nonsense... Adobe may think about a QT-based Acrobat Reader... but that's it for now. Don't ever dream of a company like Adobe tiing one of their major products (like Photoshop) to the small Trolltech company... Maybe Adobes developers really think QT is a cute thingy and maybe more fun to program in than Visual C++'s native classes but the strategists at Adobe will strongly advice against porting Photoshop to QT for one simple reason: A major rewrite of tons of code could only be done once (even by a big company like Adobe). If something goes wrong, there will be no way back (you can not afford to loose _two_ release cycles just with ports and rewrites and no feature additions)
Re: Adobe Acrobat for PDF files - Anton Velev - 2003-04-10
Actually if Adobe chooses QT as their toolit for Photoshop and their other products they can only win because as we know they are anow maintaing Mac and Win32 version of their product. And if they choose QT they will maintain only one version for all platforms.
Re: Adobe Acrobat for PDF files - Mike - 2003-04-11
Right. In addition, considering they are already maintaining seperate versions for Windows and Macs, they have already built an abstraction layer. All they have to do is create a version of that abstraction layer for Qt. That's not difficult at all. This would also open up a whole nother market for them: Unix/Linux users. Guess what, science labs all over the world have been moving to linux (especially for linux clusters) and scientists do use photoshop to work on the images generated by their expiriments. I rather doubt they'll pay Trolltech for Qt use for Windows and Macs, considering they already have code written for both platforms. However, programming with Qt is extremely easy, definitely WAY easier than M$'s bug-ridden MFC crap.
Re: Adobe Acrobat for PDF files - AC - 2003-04-11
Or, maybe, they have an abstraction layer and they want to get rid of it because it sucks and/or maintaining it costs more money than Qt licenses...
Re: Adobe Acrobat for PDF files - sith - 2003-04-13
uhum....check this out : http://www.trolltech.com/newsroom/announcements/00000120.html
I can find no trace of this in cvs - Alan W. Irwin - 2003-04-10
I got nothing new from cvs update -r KDE_3_1_1_RELEASE and could find no tag to use in webcvs (perhaps because of propagation delays). What is the correct cvs tag to use for the 3.1.1a release? I can make the obvious guess, but I would prefer the definitive answer instead.
Re: I can find no trace of this in cvs - Waldo Bastian - 2003-04-10
It doesn't seem to be tagged yet but you can use cvs update -r KDE_3_1_BRANCH instead
Re: I can find no trace of this in cvs - Matthias Kilian - 2003-04-12
Well, that seems to update *lots* of stuff. More than the mere patch files contain. And (offtopic): I generally think that the CVS tags (Releases and branches) should be documented a little better. It's not clear wether KDE_X_Y_BRANCH is the same as the latest KDE_X_Y_Z_RELEASE. Also, tags for KDE and KOffice are interweaved within kde-i18n. IMHO, files not belonging to core kde shouldn't go into kde-i18n. Regards, Kili
Kde 3.1.1 and 3.1.1a has serious bugs... - Håvard Røkkum - 2003-04-11
Hi Since I upgraded to MDK 9.1 and compiled QT 3.1.2 and KDE 3.1.1 I have had a lot of hangs in KDE. I think it has to do with a hell of a lot of debug output to every file defined as errfile in the /etc/X11/Xsession ($HOME/.xsession-errors and /tpm/xses-$USER). It also starts generationg a lot of .fonts-cache.XXXXX files in my home-dir and the same files in /tmp but here they are called .resolv.conf.XXXXX. This font thingy seems to happen when I turn on preview of text files in konqueror. The comands writing this crap to disk is kdDebug, kdWarning, kdError and kdFatal defined in /kdelibs-3.1.1(a)/kdecore/kdebug.h(cpp)??? Regards Håvard
Re: Kde 3.1.1 and 3.1.1a has serious bugs... - Xanadu - 2003-04-14
"Since I upgraded to MDK 9.1 and compiled QT 3.1.2 and KDE 3.1.1 I have had a lot of hangs in KDE." Where is your source from? Are they the hacked MDK SRPM's, or are they the "real" source tarballs from like ftp.kde.org?
Tabbed browsing in konq improved! - Blazej F. - 2003-04-12
Hey, is it just me, or since I upgraded kdebase and kdelibs to 3.1.1a a very annoying bug in konqueror has disappeared. I mean now I can click the middle button on a link in a webpage and a new tab pops up immediately without waiting to contact the server. Since my internet connection is not very fast (115kbps) I often had to wait a while until a new tab was spawned and only then continue middle-clicking. I use tabbed browsing a lot, for instance when I am browsing sites like kde-look.org I always open screenshots in new tabs. With this bug konqueror was less comfortable to browse with than mozilla. And now the bug is gone! WHOA!!! COOL!!!
I've noticed it too :))))) - Alexander Perez - 2003-04-12
It's true, tabs are now fastest, and this improves konqueror a lot. Can i say thanks to the security bug ? ;)
Service Pack! - a - 2003-04-15
Where is it? :-D