Security: Advisories for KPDF, KOffice and Konversation

Three security advisories have been issued this week. The first two are due to

a vulnerability
that was discovered in
xpdf. Both
KPDF
and the

KOffice PDF import filter
include their own version of xpdf and as a result they too will require some updating. The third advisory involves
Konversation in which

several security issues
where discovered.

Dot Categories: 
KDE Official News

Comments

by anon (not verified)

"Both KPDF and the KOffice PDF import filter include their own version of xpdf"

What?!? Isn't this exactly what shared libraries are for?

by Daniel Molkentin (not verified)

If xpdf was available as a shared library, it certainly would...

by fprog26 (not verified)

Well, since KPDF and KOffice are both KDE package,
maybe there should exist only one shared library for xpdf within KDE?

Code duplication sux 101

by Christian Loose (not verified)

If xpdf was available as a shared library, it certainly would..

by Ingo Klöcker (not verified)

Wrong. If xpdf was available in KDE as a shared KDE wrapper library then it certainly would. There's absolutely no reason to have two copies of xpdf in KDE (at least not in the long run). I bet that those were not the last security problems which are discovered in xpdf:

October 2004:
http://www.kde.org/info/security/advisory-20041021-1.txt
http://koffice.kde.org/security/2004_xpdf_integer_overflow.php

December 2004:
http://www.kde.org/info/security/advisory-20041223-1.txt
http://koffice.kde.org/security/2004_xpdf_integer_overflow_2.php

January 2004:
http://www.kde.org/info/security/advisory-20050119-1.txt
http://koffice.kde.org/security/advisory-20050120-1.txt

by Morty (not verified)

What is even more puzzling is the fact that the kdegraphics module both contains an version of xpdf and try to link to parts of a external version. Since I don't have xpdf installed I get this funny mesage when using cvs.

You're missing pdfinfo. That means that you won't be able to
see additional informations about pdf files in konqueror.
The plugin for it will still be compiled, but won't work until
you install pdfinfo.
You can download it (inside the xpdf package) from
http://www.foolabs.com/xpdf/

I have been considering filing a bug on it, but haven't gotten around to it yet:-)

by azhyd (not verified)

One practical problem is where do you put the common library. Another problem is that the xpdf sources needs some slight modifications for the pdf->kword filter.

by azhyd (not verified)

and one more problem is that in koffice it is not the same xpdf version ... I am working on that though.

by llllll (not verified)

Fixed this potential remote_procedure_call-risk.
Note: Older Linux versions are lesser hollowed.