KDE 3.0.4: Fourth Enhancement Release (And Two Security Advisories)

The KDE Project today
announced
the release of KDE 3.0.4.
Besides a number of usability and stability enhancements,
it provides two important security
corrections. The first corrects the file sharing program KPF, which
since KDE 3.0.1 has permitted a remote user to retrieve any file
readable by the user running KPF
(security
advisory
).
The second corrects the PostScript® / PDF viewer KGhostView, which since KDE 1.1
permits carefully-crafted PostScript and PDF files to execute arbitrary
code
(security
advisory
).
If you cannot upgrade to KDE 3.0.4, which is strongly recommended,
you should immediately stop using both KPF and KGhostView.

Dot Categories: 

Comments

by Navindra Umanee (not verified)

Finally, some real KDE news for our friends at L&M!

Good job guys, glad to see KDE 3.0.x so well maintained.

by Eron Lloyd (not verified)

Incredible. The quality and consistency of the KDE project is just amazing. Thanks to all our hard working project members (coders and otherwise!) that *continue* to produce the best damn desktop available.

Three cheers,

Eron

by gunnar (not verified)

thanx for doing such a good job. kde is great!
and for just don't hiding bugs and doing much blabla - just fixing that stuff (great to see this probs in beta stage).

greeting gunnar

by Mohasr (not verified)

i wondering about making a whole kde release for only a security patch !!!

by JC (not verified)
by Roland (not verified)

And what about people upgrading from KDE2, Gnome or Windows?

It's much better to give them 3.0.4 than 3.0.3 plus patches.

by Coomsie (not verified)

Well Done!!!

KDE is the best.

Cheers
Coomsie :3)

by Anonymous (not verified)

Why is it that a security fix is a whole new release? I guess they are pretty major security releases, but it seems that everytime I try to upgrade my KDE, it crashes. This one is no different. Upgrading Mdk 8.2 with KDE 3.0 installed, trying to upgrade to 3.04 (this one). Seemed to install fine using the RPMs and urpmi. Logged out and logged back in and things looked good, but then Kalarm crashed. I started Korganizer. It started fine, but then when I tried to add an event, it crashed. Got it to output the debugging symbols and went to view them using Kwrite, but it crashed when I tried to save them. Crash, crash, crash. I finally completely uninstalled KDE and then reinstalled KDE3.0, after I installed KDE 2.2.2. Don't ask, I was fighting with KDE3.0 all night just to get back to where I was this afternoon. This is a work machine and I need it for work. But I love KDE so damn much that I eargerly await the next release so I can try to upgrade again. :-)

by Anonymous (not verified)

Install from source, don't count on [first week] distributor packages.

by John Herdy (not verified)

Better; use Gentoo (www.gentoo.org). It's a source based distro so no RPM-dependancy-hell. You don't have to do anything manually just type "emerge kde" and you can enjoy the latest and greatest. Besides the ease of package management Gentoo has a lot of great packages e.g. Unreal Tournament 2003. With one command you can enjoy this great game.

by philip howells (not verified)

props to John, gentoo *ROCKS*
I tried to do the same with Slackware and scripts, but gentoo does everything right, and is easy to admin too.

by Jon (not verified)

Perhaps you should try a different distro? I can almost guarantee that when the Debian packages are out, they'll install perfectly first time.

by Janne (not verified)

"I can almost guarantee that when the Debian packages are out, they'll install perfectly first time."

Yeah, and it seems that we will be getting Debian-packages for KDE3 sometime in 2004

by debs (not verified)

> Yeah, and it seems that we will be getting Debian-packages for KDE3 sometime in 2004

Debian packages are already avaiable, for Woody (stable) and Sid (unstable):

http://download.au.kde.org/pub/kde/stable/3.0.4/Debian/

by Janne (not verified)

Official packages? To my knowledge, there are un-official packages available, but no official-ones.

by Kevin Krammer (not verified)

Most of them are done by the packagers that do the official packages, so that's official enough for me :-)
They are just not uploaded to the debian servers.

I read that the real official packages are postponed to the GCC3.2 switch.

Cheers,
Kevin

by Monster (not verified)

I used RPMs because it is the swiftest way to update.
Then I notice that things don't work as they should and commence to exchange
packages. Mostly after arts, kdelibs and kdebase the distribution-specific
"bugs" are less annoying.
Though... upgrading from sources has always produced the most satisfactory results.

by fault (not verified)

If you don't care about the security patch, why are you even upgrading KDE and complaining that it's a new release.

pffah

by Mathieu Bois (not verified)

Exactly the same problem on Mandrake 8.2 with all MDK updates applied.

I've upgraded (with RPM) from KDE3.0.1 to KDE3.0.4 today. urpmi installed without problem.

But:
- KControl can't be launched (immediate crash).
- KMail crashes if you go to its configuration or try to do a new mail (!)
- Konqueror crases (I searched "crash" in this page, and after the last occurence, it crashed, several times)

I even created a blank new user, with no ~/.kde related directories, and without /tmp/kde related files or directories : it didn't got better.

I give up. I'll try to go back to KDE3.0.1 if I can. And maybe put away Mandrake as a linux distribution, because I do not trust it anymore, and because I'm fed up with its unstable features.

I only hope KDE will work smoothly on the new distrib I'll choose, because I've becomed a Konqueror and KMail addict!

by Neo Gigs (not verified)

Personally advice that should not play on a work machine unless u are sure there is no harm to data. A way to prevent this is to partition some directory into separate partition.

I done by this:

/dev/hda1 - /boot
/dev/hda2 - swap
/dev/hda3 - /
/dev/hdb1 - /var
/dev/hdb2 - /usr/local
/dev/hdb3 - /home
/dev/hdb4 - /work

what happened before i post this thread is my Mozilla 1.2b drive me crazy with tons of problems and bugs, so what I did was to uninstall Mozilla 1.2Xft (that including my earlier version, because it was done by upgrading from default shipped Mozilla 1.0.1 -> Mozilla 1.1 -> Mozilla 1.2b), this also caused Galeon and Evolution to gone due to dependencies.

One good plan was my settings, mails, profiles, bookmarks was retained and when I reinstall from Redhat package installer with Mozilla, Galeon and Evolution, everything is exactly the same...

Cool Redhat 8......very cool....

by Corba the Geek (not verified)

It would be annoying enough executing malicious code as an ordinary user... but as root.

by Scotty (not verified)

For KDE 3.0.3, RedHat binaries have been shipped.
Is this no longer done for 3.0.4 or will they shipped later?

by L.Lunak (not verified)

Ask RedHat. KDE is not providing any binary packages (how many times must this be repeated?).

by Scotty (not verified)

Sorry, but see http://www.kde.org/info/3.0.3.html - (unofficial!) Redhat packages had been provided under http://download.kde.org/stable/3.0.3/contrib/RedHat/7.3/ !?!

I know that Redhat is packaging KDE different from KDE - the "unofficial" release was following the KDE-packaging policy and I have installed those on my RHL7.3 bases system.
Scotty

by Sad Eagle (not verified)

The "onofficial" means that a volunteer has provided them.

by Eleknader (not verified)

RedHat does not provide KDE updates in general.

They support Gnome instead.

Take a look at distributions that provide KDE packages on regular basis. These are mentioned at the release page.

Personally I'm using Debian, and it works fine. Upgrading is simple as 'apt-get upgrade kde'

Eleknader

by _deadfish (not verified)

I am running KDE 3.1 beta 2 on Mandrake 8.2. I am wondering if I can/should update(?) to this from KDE 3.1 beta 2. Any suggestions/comments ?

by Will Stephenson (not verified)

3.0.x releases are bug and security fix releases. All the changes versus 3.0.3 are either fixes to the existing code or fixes that are in 3.1.x, backported to the older code.

So I'd say you already have the updates over 3.0.3. The security advisories don't say that the 3.1 tree is affected.

Will

3.1 beta2 is also affected by both the security issues. Either patch your source or stop using the two affected programs.

The KGhostview buffer overflow was fixed September 26 [1]. It looks like the fix was included in 3.1 Beta 2.

The file sharing security hole appears to have been fixed October 7 [2], so the exploit would still exist in 3.1 Beta 2.

------

[1] http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdegraphics/kghostview/ps.c

[2] http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdenetwork/kpf/src/

by Charly (not verified)

I switched from GNOME 2.1 (CVS) to KDE 3.1 (CVS) yesterday and went to the Bank for a 20€ donation today. Thank you for such a cool Desktop Environment. It's the first time that I ever donated for something. Not even GNOME got a penny from me but after I played with KDE I said 'wow' this is worth it.

by kidcat (not verified)

AWESOME... I think that everyone should follow your examble! Myself included! Ill go to the bank on the 1/11.

All Thumbs Up Charly!

/kidcat

by Gilles Leblanc (not verified)

Sorry if this question is lame, but Iv been using Linux for about 1 week ( when I decided to reformat my windows only hd and install Linux instead ) and have already experienced problems with it. But if I download RPM or try to compile from source, will it be like I just upgraded my KDE or will everything ( desktop backgrounds, themes, configs, programs installation ) be erased ?

depends,

user related configuration stays as is but it may be possible that structures within the configuration itself has changed so you may need to adjust some of your settings. this is only a valid statement if you switch e.g. from kde 3.0.x to 3.1.x. but nothing of your configuration get erased.

prgrams, desktop backgrounds, themes etc. this also depends some themes and backgrounds may be stored in your homedir and some are globally installed.

by Øyvind Sæther (not verified)

I have actually found that some apps change their config files so the application looks strange or misses features.

When I upgraded from CDBakeoven from 1.8.9 to the cvs version in kdeextragear-1 (check it out of you haven't done it already) it refused to use mpg123/ogg123 before I deleted the config file .kde/share/config/.rc. This also applies to Quanta3 and Kate.

This will not be a problem when upgradeing from 3.0.3 to 3.0.4, but is a good tip if you upgrade to a new major release (usually a bigger main number, y in x.x.y is a small fix and x.y simply y. is a big thing).

Also, I experienced (fx when recompileing Kde3Beta2 with a new compiler) that the KDE temp files in /tmp (or /var/tmp depending) needs to be deleted when upgradeing.

by Anno v. Heimburg (not verified)

It shouldn't, since it's a bugfix-and-minor-improvements only update. All version bearing the same minor version number (the order is major.minor.bugfix, so we're talking about kde 3.0.x) should be exchangeable. A different story are minor version number changes, e.g when upgrading from 2.1 to 2.2, not all the settings seemed to have made it (though most did). The same is true for major number updates (e.g. 2.2.2 -> 3.0.0).

Talking about programs, all kde programs should reside in /opt/kde or /usr, along with their default settings. Your personal settings are stored in /home//.kde/share/config . If things go wrong, you will be reverted to the app's default settings. But as I said, a bugfix update should pose no problems at all (of course, mistakes happen).

Having said that, I would recommend you to (1) install from RPM because it's easier, and (2) wait for two weeks before upgrading. A lot early vendor packages have their glitches, but they are usually sorted out after some time.

by Gilles Leblanc (not verified)

Thanks for the replies :)

by NewMandrakeUser (not verified)

I know this is a Mandrake question, but I hope some Mdk user can answer.
When you upgrade KDE with the binaries provided in kde.org ... do you lose
your settings ? (such as Mandrake Menues, Login Manager (KDM) configuration,
etc. ?) I am planning to upgrade the Mandrake 9.0 binaries ...

Many thanks !

I just upgraded using the MDK binaries in Cooker. I used the Upgrade tool and everything installed fine.

Will

by NewMandrakeUser (not verified)

Thank you Will,

same excellent luck with the 9.0 binaries. I had to use --nodeps because of a TiMidity++ conflict, but Timidity is still running after the upgrade, it was just the way it was packaged (probably requiring kdemultimedia == 3.0.3) :-)

And Thank You MANDRAKE
:-)

by Sir Bard (not verified)

This was very helpful

I'm a linux sysadmin and my current project is porting KDE to win32 os. I haven't been able to find a HOWTO on compiling the code in Visual Basic yet but when I do I'll release it under the GPL

by gunnar (not verified)

why using kde on win32?
i dont understand... better running win in vmware under kde ;-)

gunnar

by Gilles Leblanc (not verified)

Are you sure you didnt mean compiling the code in Visual C++.
Or do :
A : you actually think that you can compile C code in VB
B : Im actually so dumb I think it can`t be done but it can
C : you just posted this post to see who would bite

by kidcat (not verified)

check out his comment on "ill license it GPL".. this gotta be a bogus!

/kidcat

by Kevin Krammer (not verified)

You mean like the folks at kde-cygwin.sf.net ?
Why aren't you working with them?

Cheers,
Kevin

by Frank Becker (not verified)

YHBT. YHL. HAND.

by Bill G. (not verified)

Great news! Thank you..... I'm a Win32 user and this would be absolutely great!
Maybe on msdn (http://msdn.microsoft.com/) you can find more help about the KDE/Visual Basic stuff.

Hope it helps.

by Rex Dieter (not verified)

I've put together some kde 3.0.4 RPMS for RedHat 7.3 (they *may* work on RedHat 7.2, but that is untested).

See the posting on pclinuxonline.com for details: http://www.pclinuxonline.com/modules.php?name=News&file=article&sid=3541

Even More details are available on my website:
http://www.math.unl.edu/~rdieter/

Enjoy.

-- Rex

by Joni (not verified)

I installed those on Red Hat 7.2, got it working without too much hassle, and (except a few minor glithces) it works well. Feels quite snappy too; programs start fast etc.