Security: PS/PDF file handling vulnerability

The KDE Security team has issued an advisory on a vulnerability present in all versions of KDE that allow a remote attacker to execute arbitrary commands under your account. KDE 3.0.5b and KDE 3.1.1a have been released to address this problem. For KDE 2.2.2 patches to the KDE 2.2.2 sources have been made available.

KDE uses Ghostscript software for processing of PostScript (PS)
and PDF files in a way that allows for the execution of arbitrary
commands that can be contained in such files.

An attacker can prepare a malicious PostScript or PDF file which will
provide the attacker with access to the victim's account and privileges
when the victim opens this malicious file for viewing or when the
victim browses a directory containing such malicious file and has
file previews enabled.

An attacker can provide malicious files remotely to a victim in an
e-mail, as part of a webpage, via an ftp server and possible other

OS vendors and KDE package providers have been alerted and the we expect them to provide updated binary packages shortly. The following updates are already available from the KDE ftp mirrors:

Note that many also provide updates via their own online update service.

Dot Categories: 


by Mark Hillary (not verified)

You know what would be nice, is if distributors packaged up a binary update of just what changed. So that we didn't need to download a whole new kde or what ever every time a new release is made.

But then maybe I'm only dreaming. :)

by uga (not verified)

That shouldn't be difficult I think. They could just release something called "kde3.1.1secpatch.xxxx.i586.rpm". This would install just that necessary part.

The only problem that I find is that this package could have conflicts with other packages, since it's providing the same files. I'm not sure if rpm or other formats admit this kind of overwriting.

by Mark Hillary (not verified)

Maybe its a feature that could be added. To allow a package to assosicated with a differernet package as an update.

by benji weber (not verified)

SuSE do it already

by Anonymous (not verified)

> You know what would be nice, is if distributors packaged up a binary update of just what changed.

SuSE's update already uses rpm patches since SuSE 8.0.

by Anton Velev (not verified)

Just use the viewer from the creators of the PDF - Adobe Acrobat Reader.
There is linux version - very nice one.

And something more to add, it seems that Adobe are moving on the curve to start using QT for their products. May be just rumors. However I will not be surprised if next version of Photoshop is QT based and also available for linux - then asta la vista gimp. For making you sure that new QT curve that happens in Adobe is not just rumor (may be it still is) check this:

QT & KDE forever! Use Adobe Acrobat Reader for Linux if you want to view PDFs.

by AC (not verified)

I doubt that the Gimp will go away, as it is pretty unlikely that they you will get Photoshop for free :)

by Anton Velev (not verified)

Why not to pay money if it's good?
Why one things that software should be free?
Also we are talking about Adobe Acrobat Reader which is free softare.

And something to add about the old topic for adoption of linux as business desktop. Some people beleive that linux can possibly dominate one day on business desktop, with only free software installed. This is total mud. Just impossible. For adoption of one platform as corporate platform some money should be invested and big amount of PROFESSIONAL and COMMERCIAL apps available - like Photoshop. Relating with the current example one professional designer will never use linux before he has programs like Photoshop, CorelDraw etc. And talking about using GIMP for professional work is unserious (not saying that GIMP is unprofessional but far from Photoshop).
My sister is professional designer and i tried several times to point her attention to linux and GIMP but unsuccessful, however she appreciate highly the cool design of my KDE desktop. And be sure she would use Linux for professional work if there was available linux version of Adobe Photoshop. Just to mention with wine only 4.0 and 5.0 works fine.

Anyway think about it - commercial quality software is needed for linux to konquer the business desktop!

by Albert Astals Cid (not verified)

Acrobat Reader is software and it is free, but it is not free software.

by Anton Velev (not verified)

100% free like the free beer :)

by Jim (not verified)

I agree. My company already buys licenses for Photshop/Win.
If there was a Photoshop/Linux we certainly would buy some.
We would even pay for a GIMP which runs in a _single_ window!
GIMP's user interface is really awful. And please don't keep telling me
that it's in fact a good idea to have thousands of separate cluttered windows,
no reasonable menu bar, and a stone-age file open dialog. I bet no
UI expert has ever seen that thing or he would've dropped dead on the spot.
I know, with GNOME the thousands of windows would be managed by the
window manager. That's what they keep telling us. But I don't use GNOME.
And I don't want to use it because otherwise my whole desktop would have a UI
like GIMP. Those GNOME folks are real nerds IMO. They can create programs
with an amazing bunch of functions but no decent UI at all. And the best thing
is: They really thing it's great. Muahaha! No way - I don't want to go back
to Windows 2.0 UI only because they say it's faster and simpler. It's not.
Unfortunately there are not many alternatives. Some of them don't support
PSD files and others (like Corel PhotoPaint for Linux) are so dead slow that you
rather boot to windows, edit your picture, and boot back to linux.
What's really missing is a KDE photo editor with PSD support.
Krita is dead. So what has happened to Mosfet Paint BTW?

by uga (not verified)

I don't agree much on the need of a new interface for Gimp, but it's true that sometimes one can get lost on so many windows, that lose focus.... Isn't there an easy way to have them all in focus before the rest of the apps?

>So what has happened to Mosfet Paint BTW?

by Ka-ael (not verified)

Reeeaaallly off-topic but:

Well, yes.. Gimp can get cluttered by multiple windows but does it really help to unclutter the windows if you have a big window under them all (ala. Photoshop) ?
Well, maybe in Windows where you don't have Virtual Desktops. Gimp is developed for Linux where Virtual Desktop has been available for virtually always. But, yes.. if Adobe releases Photoshop for Linux it will be on our companys computers. Gimp just isn't there yet but it is still a very good program.

by hober (not verified)

There is a standard answer to this standard whining:

get better window manager!

by Jim (not verified)

1. You did not read my post. I know this.
2. Virtual Desktops != Single Desktop with multiple windows
in terms of usability

by m0ns00n (not verified)

1. The standard answer to this whining is by people who don't do more with gimp than gif animations for their personal homepage

2. KDE is a very nice window manager don't you think?

I think most people who defend Gimp are loudmouths. I am trying to actually USE this program in game development, and you know what? It sucks. Currently, Linux has NO gfx app. That's the truth. Unless you consider KPaint a Deluxe Paint killer.

by James Richard Tyrer (not verified)

> We would even pay for a GIMP which runs in a _single_ window!

Sorry to have to tell you this, but X simply will NOT work that way!


by fault (not verified)

umm, X neither works like that or doesn't.

by Richard (not verified)

I tried using GIMP. It's crap. You're right on with the interface. Damn that thing is horrid. Ironic that a program for graphic manipulation and graphic design would have the all the beauty and grace of a severed limb.

I really like what the program can do, but I don't like the billion+1 window arrangement or the trillions of dialog boxes.

by AC (not verified)

I didnt say that no one would buy Photoshop.. but there are more than enough people like me, who use the Gimp like 10 times a year and certanily don't want to pay 500 bucks for it...

by dman (not verified)

so how could we get it for free????

by Thomas (not verified)

Nonsense... Adobe may think about a QT-based Acrobat Reader... but that's it for now. Don't ever dream of a company like Adobe tiing one of their major products (like Photoshop) to the small Trolltech company... Maybe Adobes developers really think QT is a cute thingy and maybe more fun to program in than Visual C++'s native classes but the strategists at Adobe will strongly advice against porting Photoshop to QT for one simple reason: A major rewrite of tons of code could only be done once (even by a big company like Adobe). If something goes wrong, there will be no way back (you can not afford to loose _two_ release cycles just with ports and rewrites and no feature additions)

by Anton Velev (not verified)

Actually if Adobe chooses QT as their toolit for Photoshop and their other products they can only win because as we know they are anow maintaing Mac and Win32 version of their product. And if they choose QT they will maintain only one version for all platforms.

by Mike (not verified)

Right. In addition, considering they are already maintaining seperate versions for Windows and Macs, they have already built an abstraction layer. All they have to do is create a version of that abstraction layer for Qt. That's not difficult at all. This would also open up a whole nother market for them: Unix/Linux users.

Guess what, science labs all over the world have been moving to linux (especially for linux clusters) and scientists do use photoshop to work on the images generated by their expiriments. I rather doubt they'll pay Trolltech for Qt use for Windows and Macs, considering they already have code written for both platforms. However, programming with Qt is extremely easy, definitely WAY easier than M$'s bug-ridden MFC crap.

by AC (not verified)

Or, maybe, they have an abstraction layer and they want to get rid of it because it sucks and/or maintaining it costs more money than Qt licenses...

by Alan W. Irwin (not verified)

I got nothing new from

cvs update -r KDE_3_1_1_RELEASE

and could find no tag to use in webcvs (perhaps because of propagation delays). What is the correct cvs tag to use for the 3.1.1a release? I can make the obvious guess, but I would prefer the definitive answer instead.

by Waldo Bastian (not verified)

It doesn't seem to be tagged yet but you can use

cvs update -r KDE_3_1_BRANCH


by Matthias Kilian (not verified)

Well, that seems to update *lots* of stuff. More than the mere patch files contain.

And (offtopic): I generally think that the CVS tags (Releases and branches) should be
documented a little better. It's not clear wether KDE_X_Y_BRANCH is the same as the
latest KDE_X_Y_Z_RELEASE. Also, tags for KDE and KOffice are interweaved within
kde-i18n. IMHO, files not belonging to core kde shouldn't go into kde-i18n.


by Håvard Røkkum (not verified)


Since I upgraded to MDK 9.1 and compiled QT 3.1.2 and KDE 3.1.1 I have had a lot of hangs in KDE. I think it has to do with a hell of a lot of debug output to every file defined as errfile in the /etc/X11/Xsession ($HOME/.xsession-errors and /tpm/xses-$USER).
It also starts generationg a lot of .fonts-cache.XXXXX files in my home-dir and the same files in /tmp but here they are called .resolv.conf.XXXXX. This font thingy seems to happen when I turn on preview of text files in konqueror.
The comands writing this crap to disk is kdDebug, kdWarning, kdError and kdFatal defined in /kdelibs-3.1.1(a)/kdecore/kdebug.h(cpp)???


"Since I upgraded to MDK 9.1 and compiled QT 3.1.2 and KDE 3.1.1 I have had a lot of hangs in KDE."

Where is your source from? Are they the hacked MDK SRPM's, or are they the "real" source tarballs from like

by Blazej F. (not verified)

Hey, is it just me, or since I upgraded kdebase and kdelibs to 3.1.1a a very annoying bug in konqueror has disappeared. I mean now I can click the middle button on a link in a webpage and a new tab pops up immediately without waiting to contact the server. Since my internet connection is not very fast (115kbps) I often had to wait a while until a new tab was spawned and only then continue middle-clicking. I use tabbed browsing a lot, for instance when I am browsing sites like I always open screenshots in new tabs. With this bug konqueror was less comfortable to browse with than mozilla. And now the bug is gone!

by Alexander Perez (not verified)

It's true, tabs are now fastest, and this improves konqueror a lot. Can i say thanks to the security bug ? ;)

by a (not verified)

Where is it? :-D