|
mDNSResponder libraries moved to kdelibs. Krdc and Krbc now use DNS-SD. khtml improves CSS compliance. KNewStuff support for wallpapers.
|
Jonathan Riddell has been working on the Kde wallpapers. Among other things he has been working on svg format wallpapers. He proposed a way to download and install wallpapers in this comment on kde-core-devel: http://lists.kde.org/?l=kde-core-devel&m=110185919428359&w=2
|
As you can see, it is not simply a matter of patching the kcontrol module. Some infrastructure is required. The discussion continued with comments about the wording, and some useful links from Josef Spillner such as: http://lists.kde.org/?l=kde-core-devel&m=110194278431365&w=2
|
|
|
There were two security advisories this week.
The first one is a plain text password exposure. See http://www.kde.org/info/security/advisory-20041209-1.txt. The overview reads as follows:
|
Daniel Fabian notified the KDE security team about a possible privacy issue in KDE. When creating a link to a remote file from various applications including Konqueror, the resulting URL may contain the authentication credentials used to access that remote resource. This includes, but is not limited to browsing SMB ("Samba") shares. Further investigation revealed unnecessary exposure of authentication credentials by the SMB ("Samba") protocol handler.
The link reference file, which is a file with the extension ".desktop", is a plain text configuration file that is created with default access permissions, depending on the users' umask this could include world read permission. Usually the URL saved in this .desktop file only contains the password if the user manually entered it this way. The SMB protocol handler however unnecessarily exposes authentication credentials by always including this information in the URL that it generates.
The KDE team provides patches which will unconditionally remove the password from the authentication credentials before creating the link reference file and that fix the SMB protocol handler to not unnecessarily include passwords in URLs Authentication credentials can then be stored in KWallet instead.
|
|
The second advisory is regarding kfax libtiff vulnerabilities. http://www.kde.org/info/security/advisory-20041209-2.txt. The overview is as follows:
|
Chris Evans and others discovered multiple vulnerabilities in the libtiff library. The Common Vulnerabilities and Exposures project assigned CAN-2004-0803 to this issue.
kfax, a small utility for displaying fax files, contains for historic reasons a private copy of libtiff. Therefore it is vulnerable to these issues as well.
kfax and the kfax KPart are invoked by KMail or Konqueror for viewing .g3 files.
For the active KDE maintenance branches, which are KDE 3.2.x and KDE 3.3.x, this problem has been solved by removing the private copy of libtiff. In KDE 3.2.x, kfax will use the tiff2ps and fax2tiff utilities at runtime as backend. In KDE 3.3.x the code requiring libtiff or any other runtime dependencies has been replaced by a native solution that is unaffected by the mentioned vulnerabilities.
Due to the complexity of the change, no simple diff is provided. The problems have been addressed in the KDE 3.3.2 release.
As a workaround, you can remove the kfax binary and the kfaxpart.la KPart from your system to be on the safe side.
|
|
