Three security advisories have been issued this week. The first two are due to
a vulnerability
that was discovered in
xpdf. Both
KPDF
and the
KOffice PDF import filter
include their own version of xpdf and as a result they too will require some updating. The third advisory involves
Konversation in which
several security issues
where discovered.
Dot Categories:
Comments
"Both KPDF and the KOffice PDF import filter include their own version of xpdf"
What?!? Isn't this exactly what shared libraries are for?
If xpdf was available as a shared library, it certainly would...
Well, since KPDF and KOffice are both KDE package,
maybe there should exist only one shared library for xpdf within KDE?
Code duplication sux 101
If xpdf was available as a shared library, it certainly would..
Wrong. If xpdf was available in KDE as a shared KDE wrapper library then it certainly would. There's absolutely no reason to have two copies of xpdf in KDE (at least not in the long run). I bet that those were not the last security problems which are discovered in xpdf:
October 2004:
http://www.kde.org/info/security/advisory-20041021-1.txt
http://koffice.kde.org/security/2004_xpdf_integer_overflow.php
December 2004:
http://www.kde.org/info/security/advisory-20041223-1.txt
http://koffice.kde.org/security/2004_xpdf_integer_overflow_2.php
January 2004:
http://www.kde.org/info/security/advisory-20050119-1.txt
http://koffice.kde.org/security/advisory-20050120-1.txt
What is even more puzzling is the fact that the kdegraphics module both contains an version of xpdf and try to link to parts of a external version. Since I don't have xpdf installed I get this funny mesage when using cvs.
You're missing pdfinfo. That means that you won't be able to
see additional informations about pdf files in konqueror.
The plugin for it will still be compiled, but won't work until
you install pdfinfo.
You can download it (inside the xpdf package) from
http://www.foolabs.com/xpdf/
I have been considering filing a bug on it, but haven't gotten around to it yet:-)
One practical problem is where do you put the common library. Another problem is that the xpdf sources needs some slight modifications for the pdf->kword filter.
and one more problem is that in koffice it is not the same xpdf version ... I am working on that though.
Fixed this potential remote_procedure_call-risk.
Note: Older Linux versions are lesser hollowed.