Security: Advisories for kdelibs and Kommander

Two security advisories have been issued by the KDE Security Team which both affect KDE 3.2 up to and including KDE 3.4: kdelibs does not properly perform input validation for image files. Kommander executes without user confirmation data files from possibly untrusted locations. These issues will be fixed in KDE 3.4.1, for older KDE versions patches are available.

Dot Categories: 

Comments

by Mathias (not verified)

kde 3.4.1? when?

by Screenshots (not verified)

When it's done :) But here some Screenshots of current CVS.

by Screenshots (not verified)

... and a last one ...

by .... (not verified)

What font are you using in your desktop?

by Screenshots (not verified)

... the default ones shown + AA enabled ...

by Dolio (not verified)

:) Where did you get a version of Helvetica that can be anti-aliased?

Bitmapped Helvetica still plagues me to this day.

by Screenshots (not verified)

magic :)

by stumbles (not verified)

Would you explain this "magic" for inquiring minds?

by Pilaf (not verified)

He prolly hasn't Helvetica in his fonts paths or has it aliased, KDE tends to go with the nearest choice when a font is not available, I think.

I generally install M$ webfonts and comment out any other fonts paths in my /etc/fonts/fonts.conf. If KDE was set to use Helvetica, it will now use Verdana instead, and so on.

by Screenshots (not verified)

I do have XOrg installed with Bitstream fonts (the stuff that comes with it) and the original fonts from WindowsNT (not the corefonts as found on Sourceforge). These are Helvetica AA fonts that you see on the Screenshots.

by Robert (not verified)

Macintoshes come with truetype Helveticas but you can also buy it from Linotype.

by James Richard Tyrer (not verified)

A simple solution to the Helvetica problem *used* to be to install the URW clones as the Adobe fonts, but with FontConfig, there isn't a file available for FontConfig. Perhaps KDE could provide this.

You can install the Helvetica font that comes with the Adobe Acrobat 3.x for Windows (get the AFM files from Adobe FTP), but that Helvetica is an old font that doesn't have a Euro symbol and I don't know if doing this is 100% legal so distros are not going to include it.

So, the question is: Why do we persist in using "Helvetica" and "Courier" as the default rather than the FontConfig generic font names: "sans-serif" & "monospace". This would appear to be an obvious solution, or are there some systems that don't use FontConfig?

Alternatively, KDE could automatically substitute "Arial" for "Helvetica", Courier New for "Courier", & "Times New Roman" for "Times". Perhaps there should be a way to turn this off, but for many users it would solve some problems. Or, this could be added to the FontConfig configuration files. Perhaps a KDE GUI to edit your FontConfig: "/etc/fonts/local.conf" file would help.

--
JRT

by Anonymous (not verified)

What windeco are you using? Is it the default Plastik?

by Screenshots (not verified)

Yes.

by Anon (not verified)

Its taking a step backwards IMO.

I liked the old style much better.

by cm (not verified)

> I liked the old style much better.

I didn't. I'm glad Plastik is default now.
And I got the impression that a lot of people agree with me.

by ac (not verified)

You're right, of course. Plastik has been generally well-received. And a popular theme makes a decent choice for default, although I'd say a boring inoffensive one is better, but that's for distros to decide.

But I have to say I agree with the original complainer. I tried to use Plastik, really I did. But it's ugly, busy and takes up a lot more screen real estate than necessary. This is all my subjective opinion, of course, but I've found it's a generally consistent opinion of those who don't like Plastik. Basically the problem is that it's Windows XP's "Luna" theme, mercifully without the abrasive color scheme.

I actually think ThinKeramik is great, and Keramik is almost as good (but a little busy). It's inobtrusive, nondescript, and out-of-the-way, and functional. Again, my opinion.

I think it's a divide between those who don't want window decorations to distract from the window contents, and those who...well, want flashy window decorations. No offense intended.

As long as KDE still offers plenty of theme choices aside from the default, who cares? Distros often change the default to their own anyway.

by cm (not verified)

> I tried to use Plastik, really I did. But it's ugly, busy and takes
> up a lot more screen real estate than necessary.

Funny, that's what I always say about Keramik.

> As long as KDE still offers plenty of theme choices aside from the default,
> who cares? Distros often change the default to their own anyway.

ACK.

by Ian Ventura-Whiting (not verified)

It looks like they are still using that really bad blue colour on the information screens. See http://bugs.kde.org/show_bug.cgi?id=100448 for more information, and please vote on it, it was much better in the early 3.4 betas.

by Screenshots (not verified)

I like the information screens they look quite cool.

by charles (not verified)

I am still kind-of disappointed in KDE. I hope I am wrong in thinking that Konqueror photo is of the default settings. IMNSHO, first, all those icons after and including the printer icon should be removed, and the location toolbar put or even merged with the apace after the back/forward bar and the KDE animatied logo.

Second: The fonts look "thick" and "big". Why? Is the insane behavior of the toolbar now tamed? Sometimes visiting some sites would make those toolbars un-dockable (sp), and Konqueror would on several occasions, forget its toolbar settings. A [useful] bug report was not easy to file since reproducing this behavior was not possible. It happens at random!

Since KDE is still being fine tuned, I'll keep my fingers crossed for now.

by Screenshots (not verified)

> IMNSHO, first, all those icons after and including the printer icon should be
> removed, and the location toolbar put or even merged with the apace after the
> back/forward bar and the KDE animatied logo.

I exactly like the icons where they are and the icons after the printer icon should stay where they are and of course the location toolbar is right as well. It's exactly how I want my desktop to look like.

> Second: The fonts look "thick" and "big". Why?

Because I have chosen them, they are healthy for my eyes.

> Since KDE is still being fine tuned, I'll keep my fingers crossed for now.

My Screenshots are in no way representative for the KDE project, these are my Screenshots.

by Anonymous (not verified)

> I am still kind-of disappointed in KDE. I hope I am wrong in thinking that Konqueror photo is of the default settings.

You're disappointed with something what you don't use?

by brian (not verified)

It seems unlikely that your problems with Konqueror are random. They are perhaps unpredictable and difficult to analyze, but that is true about most complicated systems.

You should fill out a bug report if you think you've found a bug. Hopefully other people that have the same problem will add to it, and some commonality can be discovered allowing a fix or work around to be developed.

by Anonymous (not verified)

Depends on when the switch to Subversion will happen.

by Davide Ferrari (not verified)

Anyway I think that this updates will be backported to KDE 3.4.0 by distro-makers. At least, Gentoo has already done it, don't know others. (yesterday I got a kdelibs-3.4.0-r2 update)

by Morty (not verified)

Patches are already available thanks to the KDE developers, the distro-makers has only to apply the patches, rebuild and release.

by Fast_Rizwaan (not verified)

Much hype made me try kubuntu 0.5.4, but to my disappointment i found that there are many things lacking in it. I say slackware 10.1 with KDE 3.4 is the best!

KUBUNTU:
-------
PROS:

1. tighter integration of KDE with base system.
2. KDM Theme.
3. Lipstik style. Good Look and Feel. Lipstick rocks.
4. few and most useful applications (k3b,amarok, gwenview, openoffice, etc.)
5. automatic configuration after installation.

CONS:

1. configuration applications missing (alsaconf, adsl-setup, xorgsetup)
2. and many nifty small applications like links, lynx, etc. (when X11 is crashed how will you access internet?)
3. not fully multimedia ready (libdvdcss not installed DVD Playback not possible)
4. Too less Default KDE applications installed.
5. nice applications like karchiver are not part of the KDE centric OS :(

Lack of Configuration tools and GCC/G++ are too much a trouble. I'll stick with Slackware!

by Anonymous (not verified)

Is there a single on-topic comment on the Dot from you?

by Derek Kite (not verified)

There doesn't seem to be any on-topic comments here.

Oh, yes, security is good.

Derek

by Anonymous (not verified)

The "3.4.1" thread refers to the story text.

by Petar (not verified)

Hmmm... your posting here indicates that you're aware of existence of the internet, in its' widest sense - you know, http, ftp... so, missing packages are easily downloaded and installed via - guess what - internet... Distro that comes on a single CD is not to be expected to have all the packages YOU want. Btw, gcc and make are on the CD, along with kernel-headers and such - if you launched e.g. kynaptic to check available packages, you would see that you could install them with a few mouse clicks... Slackware users - rrright...