Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

KDE Heap Overflow Vulnerability Found

CowboyNeal posted more than 8 years ago | from the holes-in-the-dike dept.

KDE 233

sayanchak writes "An incorrect bounds check has been discovered in kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE, that allows a heap based buffer overflow when decoding specially crafted UTF-8 encoded URI sequences. It might allow malicious Javascript code to perform a heap overflow and crash Konqueror or even execute arbitrary code. Source diff patches for KDE 3.2.0 - 3.3.2 and KDE 3.4.0 - 3.5.0 are available."

Sorry! There are no comments related to the filter you selected.

This is why I use Windows (3, Funny)

Anonymous Coward | more than 8 years ago | (#14526298)

Microsoft would never tie a web browser into the operating system... err, wait.

Re:This is why I use Windows (-1, Troll)

aurb (674003) | more than 8 years ago | (#14526323)

KDE is not an operating system.

Re:This is why I use Windows (1, Informative)

Anonymous Coward | more than 8 years ago | (#14526328)

You, sir, need to be hit with the humor stick.

Re:This is why I use Windows (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#14526333)

mod parent up as informative, please!

then mod this down as redundant!!

when will people understand that kde is third party software only??

Re:This is why I use Windows (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14526359)

then meta mod the now grandparent and parent positively!!
and mod the... ohhh, moderators make their own decisions? :-p

Re:This is why I use Windows (0, Troll)

belg4mit (152620) | more than 8 years ago | (#14526332)

You're a troll but you still need to be whacked with a clue-by-four, a desktop and windowing environment is not
"a part of the OS" in linux. At least not as you intend
to parrot in your mangle way. The complaint about MS is
the running of said things in or at the kernel. HAND

Re:This is why I use Windows (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14526380)

The complaint about MS is the running of said things in or at the kernel.

The only people who make that complaint are people who don't have a clue what they are talking about. Internet Explorer doesn't run "in or at" the kernel. It runs with the user's privileges, just like any other application.

The problem with "Internet Explorer" is that its rendering engine, Trident, is embedded by a great many applications, so any vulnerability in Trident is also a vulnerability in those applications. The same is true of KDE/KHTML/KJS. If a vulnerability is found in, say, KHTML, it also means KMail and Amarok are vulnerable.

Unfortunately, this is the downside to modern component-based strategies - it's not a Microsoft-specific problem. However the beneefits of these strategies vastly outweigh the downsides.

Re:This is why I use Windows (4, Informative)

Anonymous Coward | more than 8 years ago | (#14526512)

The problem with "Internet Explorer" is that its rendering engine, Trident, is embedded by a great many applications, so any vulnerability in Trident is also a vulnerability in those applications. The same is true of KDE/KHTML/KJS. If a vulnerability is found in, say, KHTML, it also means KMail and Amarok are vulnerable.

Unfortunately, this is the downside to modern component-based strategies - it's not a Microsoft-specific problem. However the beneefits of these strategies vastly outweigh the downsides.


Except that Microsoft takes the strategy much, much further than KDE does -- not only is explorer the component for rendering HTML, but it also renders the desktop, taskbar, start menu, etc. A better name for Vista would be "Explorer 2006." KHTML is present only in a few select KDE apps -- and you can get away with never using those apps, and never even installing KHTML, and still use KDE.

The benefits of using explorer everywhere are...come to think of it, there are no technical benefits in doing so, but there are plenty of legal benefits (we can't remove explorer without taking out 60% of the rest of Windows!). The KDE team has no reason to do such a thing, and the open-source model essentially means that they never will -- they can focus on technical improvements, and technical advantages of different approaches.

As for running in kernel space...no, Explorer does not, it runs with the privileges of the user who uses it...but for the majority of Windows users, that is somebody with "administrative privileges." Consider that situation: a user with total control over the system, who can change or overwrite anything, is using a single component for everything they do. A single vulnerability could allow malicious code to get into the kernel. The majority of Windows users, even in some mid-size organizations I've seen, log on as superusers, and new accounts are created with superuser access by default. Worse, when there is a legitimate reasons for a superuser to log in, he is logging into an Explorer shell. This is why explorer exploits are so much worse than KHTML.

Re:This is why I use Windows (1)

NutscrapeSucks (446616) | more than 8 years ago | (#14526592)

> not only is explorer the component for rendering HTML, but it also renders the desktop, taskbar, start menu, etc.

There was an updated 'common controls' DLL that originally came with IE4, but that's different from rendering the start menu/taskbar in HTML.

Re:This is why I use Windows (-1, Flamebait)

The Spoonman (634311) | more than 8 years ago | (#14526933)

come to think of it, there are no technical benefits in doing so

Actually, there are plenty. The problem is *nix guys who are still using their 30-year-old technology and can't grasp the concept of "moving forward". Tell you what, you *nix guys keep to yourselves, let the Windows guys who know what they're doing keep the IT departments moving forward. We're moving your shit out, and helping you prepare for your next exciting career: Walmart greeter! Yaay! Of course, you'll start complaining there about the good old days where people had to push the door open, rather than it opening for them...

Consider that situation: a user with total control over the system, who can change or overwrite anything, is using a single component for everything they do.

Now consider that they're using Linux. How does that change the model? Do you honestly think if Linux saturated the home desktop arena tomorrow we wouldn't be seeing the same issues? The problem isn't the software, it's the interface between keyboard and chair.

Re:This is why I use Windows (1)

Zarel (900479) | more than 8 years ago | (#14526661)

The problem with "Internet Explorer" is that its rendering engine, Trident, is embedded by a great many applications, so any vulnerability in Trident is also a vulnerability in those applications. The same is true of KDE/KHTML/KJS. If a vulnerability is found in, say, KHTML, it also means KMail and Amarok are vulnerable.
The vulnerability is in kjs, the Javascript interpreter of KHTML. Since KMail and amaroK don't really need a Javascript interpreter, the question is, is the code written badly enough that they're still vulnerable?

Re:This is why I use Windows (0)

Anonymous Coward | more than 8 years ago | (#14526769)

Since KMail and amaroK don't really need a Javascript interpreter

And how is Jane Randomwhore supposed to view purrdy hover-over-buttons in her 17kb HTML-email from cittybankk.ru?

Re:This is why I use Windows (2, Insightful)

G-Licious! (822746) | more than 8 years ago | (#14526685)

Unfortunately, this is the downside to modern component-based strategies - it's not a Microsoft-specific problem.

Is it? It also means just one place to fix the bug, because there are less people reimplementing functionality. The real problem with Microsoft is their sloppy bug fixing.

Re:This is why I use Windows (1, Insightful)

Billly Gates (198444) | more than 8 years ago | (#14526777)

In the past MS did run everything in the kernel. To this day SQL server's indexing engine is kernel based, IIS, and many video code in the media player is as well. Go check the event viewer if you dont believe me? SQL 6.5 shows alot of kernel messages.

I do admit they are doing this less now since NT has taken over but the sole reason for instability and early versions of windows was that everything ran in the kernel and one app could violate memory on another app and cause a GP fault. WIndows 3.1 was atrocious.

Re:This is why I use Windows (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14526402)

You're a troll but you still need to be whacked with a clue-by-four, a desktop and windowing environment is not "a part of the OS" in linux.

true.

The complaint about MS is the running of said things in or at the kernel.

FALSE. WHY THE FUCK DO ANTI-"M$" FANBOYS THINK THIS?
the worst OS FUD is spread by linux zealots...

please repeat after me:

IE RUNS IN USER MODE, NOT KERNEL MODE
I WILL NOT SPREAD ANY MORE FUD

HAND

you too

Re:This is why I use Windows (0, Troll)

NutscrapeSucks (446616) | more than 8 years ago | (#14526473)

a desktop and windowing environment is not "a part of the OS" in linux.

This sort of argument is basically specious CSci hairsplitting. The "operating system" provides a runtime environment for application software. There's no fundemental difference between the KDE system and the MS Windows system.

The complaint about MS is the running of said things in or at the kernel.

No it isn't. This is something that technically clueless Linux users invented.

Re:This is why I use Windows (2, Informative)

jc42 (318812) | more than 8 years ago | (#14526602)

The "operating system" provides a runtime environment for application software. ... This is something that technically clueless Linux users invented.

Oh, nonsense.

Fact is, the term "Operating System" is far older than linux, dating back to the 1950s. On almost every processor ever built, it has a precise definition. The definition is hardware based.

In the machine language, there's an opcode usually called SC (System Call). If you need to use a SC instruction to get to some subroutine, you're at the application level. If you don't need to call SC to get to that subroutine, you're in the operating system. It's as simple as that. (Well, except for a few machines with hardware support for multi-level OS security, by having multi-level SC opcodes.)

The idea that things like runtime libraries are part of the OS shows a profound lack of understanding of computer architecture.

NTTAWWT, of course. I don't expect the typical user to to understand the architecture of the machine they're using. But making claims about such architecture that are blatantly false doesn't convince anyone who knows even a little about the subject matter.

(A funny thing about the SC instruction is that in many processors, it isn't actually an implemented opcode. What happens when a program does a SC, is that an "unimplmented instruction" interrupt occurs. The interrupt routine looks at the opcode, and if it's the SC opcode, it jumps to the SC routine. Calling it "SC" is merely a promise to never implement anything for that opcode. But in some processors, it is an implemented opcode, which takes a tiny bit of real estate, but makes every SC slightly faster by eliminating that test.)

(And now I expect the assembly programmers here to fill this discussion with further detail of just how SC works on various processors present and past ... ;-)

Re:This is why I use Windows (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14526819)

Fact is, the term "Operating System" is far older than linux, dating back to the 1950s. On almost every processor ever built, it has a precise definition. The definition is hardware based.

In the machine language, there's an opcode usually called SC (System Call). If you need to use a SC instruction to get to some subroutine, you're at the application level. If you don't need to call SC to get to that subroutine, you're in the operating system. It's as simple as that. (Well, except for a few machines with hardware support for multi-level OS security, by having multi-level SC opcodes.)

I'm speechless. I'm trying to find a polite, non-patronising, way of answering this.

FYI: few, if any, CPUs have an opcode called "SC". There are various CPUs with instructions I'd take to be an equivalent of what you're describing, such as TRAP on the 68000, but SC? Where did you get that one from?

What you're describing is not an operating system but a kernel, and many kernels use regular subroutine calls rather than "SC" equivalents to get into them. If your definition of "operating system" were valid, many things we call operating systems today wouldn't be. The Amiga, for instance, far from having a revolutionary operating system as described by most of its enthusiasts, never came with one. (You called exec, the kernel, though standard subroutine calls, not through the TRAP instruction.)

If your definition were true, it would also mean that the word "kernel" is redundant. Few operating systems require special access to any function but the kernel. Microkernels would be unusable operating systems, not tiny components of full operating systems.

A modern operating system consists of a range of subsystems, some in the kernel, some outside of it. The goal of an operating system is to manage the resources of a computer, which includes providing a console for the user (modern systems use GUIs) to start and stop and interact with running programs, allocating memory and time to running programs, providing necessary intercommunication systems with different programs and subsystems, etc. Basing a definition of "operating system" in a 1950s definition that appears to be synomynous with kernel, and inaccurate to boot, strikes me as bizarre.

Re:This is why I use Windows (2, Informative)

NutscrapeSucks (446616) | more than 8 years ago | (#14526922)

The idea that things like runtime libraries are part of the OS shows a profound lack of understanding of computer architecture.

That's exactly the point I made. You are making an academic distinction that has little to no relevance to how application programmers use the OS (or as Sun puts it "operating enviornment").

Re:This is why I use Windows (2, Informative)

cyber-vandal (148830) | more than 8 years ago | (#14526616)

Except that you can very easily replace KDE with another windowing system, or *gasp* turn it off altogether.

Re:This is why I use Windows (1)

NutscrapeSucks (446616) | more than 8 years ago | (#14526905)

You could, but you couldn't run KDE applications then, could you? As far as a KDE app is concerned, KDE is part of the "OS", just as GDI32 is part of the OS for a Windows app.

Microsoft made the marketing decision to make IE uninstallable. That alone doesn't make it any more or less part of the operating system.

Re:This is why I use Windows (1)

belg4mit (152620) | more than 8 years ago | (#14526736)

Except that it is not so *tightly integrated*. I would certainly argue that this phrase could be read "near", and there are certainly plenty of other people who write of the
tight integration [everything2.com] of explorer and the kernel. And if you don't agree, well then who's splitting hairs :-P

Seriously, I use Windows, Solaris and Linux daily and the latter two almost exclusively
without a GUI. You cannot tell me that KDE or Gnome are part of the OS.... GNU/Linux/KDE?

Re:This is why I use Windows (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14526676)

The complaint about MS is the running of said things in or at the kernel.
The complaint about linux zealots is that they have no sense of humor (or clue of what they are talking about)

Re:This is why I use Windows (-1)

Anonymous Coward | more than 8 years ago | (#14526383)

Ah, according to what I constantly read here @ slashdot?

(Which mostly comes from the "Pro-Linux/Penguin crowd" here & especially when a bug is found in Windows, then they yell & 'jump-for-joy' & yell "Windows blows", etc./et all - well, how's it feel when the shoe's on the other foot? Oh, you make excuses & such, or point out things in Windows that have hassles... well, ok)

Well, I would have thought that Linux was more secure than Windows, & wouldn't have the same types of security bugs/errors Windows would...?

* That's 'par-for-the-course' here though - It's what anyone gets from that same "Pro-Linux/Penguin Crowd" here @ slashdot, misinformation.

Misinformation based on zealotry and blind devotion, which is in & of itself, a bad move and a non-objective look @ things.

Face it - this is legit, and a definite security bug.

The pity is, I actually like Linux with KDE on it!

(The older 3.2 models & the stable 2.2-2.4 kernel builds, they're trying to pack TOO MUCH/TOO FAST into 2.6x without letting it stabilize prior to adding things - next, they're talking about packing a OS virtualization machine into it, & if any of you build software, you realize 1 thing: Feature-creep can introduce new bugs, especially @ the 'low-level plumbing infrastructure' levels of a software, of any kind - & those NEWLY INTRODUCED BUGS can compound pre-existing older ones no less).

APK

P.S.=> Anyhow/bottom-line: IMO, it's going to be a long time before all of the bugs in this OS (Linux & yes, even Windows) & their immediately peripheral portions (Bugs in areas such as integrated browsers, Virtual Machines, & integrated apps in general like desktop shells) are discovered fully & fully fixed as well!

Especially if the makers of these OS don't inspect better with their testers (largely, this can be luck oriented too, bugs still happen + user use patterns differ, as well as the combinations of possible softwares they add to the OS itself get put into the mix, permutations of this here are HUGE) & stop adding new things into already bug ridden OS, this is what you see - bugs ontop of already pre-existing bugs, potentially compounding the ones already present before new features were/are added.

Get used to it, this is the nature of software (or, really any large complex system - takes time to discover + fix all the bugs or potential ones)... apk

Re:This is why I use Windows (4, Insightful)

JabberWokky (19442) | more than 8 years ago | (#14526468)

The main difference is that Microsoft often takes weeks or months to release patches, all the while trying to downplay the significance of the bug. With this, the patch was available almost immediately, and within hours, updates were packaged, tested and in distro repositories (I just woke up, and Kubuntu is happily patching itself).

Of course software has bugs. Given that, the key thing is how the software authors treat such bugs. Open Source authors tend to be very honest about and immediately provide fixes for security holes, while Microsoft tends to softpedal and delay.

The problem is not the bugs, it is how they are handled.

--
Evan

Re:This is why I use Windows (0)

Anonymous Coward | more than 8 years ago | (#14526609)

"The main difference is that Microsoft often takes weeks or months to release patches, all the while trying to downplay the significance of the bug" - by JabberWokky (19442) on Saturday January 21, @11:16AM

It depends on the severity of the bug really - they didn't follow their "2nd Tuesday of the month/MS PatchDay" std. practice on the Windows MetaFile bug did they?

No, & instead they issued a fix early (and other developers did even beforehand).

(And, if you had understanding of which libs carried the bug, the modularity of Windows design via .dll's & such allowed you to temporarily unregister the libs so they could NOT affect you...)

"Of course software has bugs. Given that, the key thing is how the software authors treat such bugs." - by JabberWokky (19442) on Saturday January 21, @11:16AM

Well, first of all:

Microsoft's wares (especially server-side enterprise class backoffice ones) have to be extensively tested first!

I would not have it any other way myself - millions/billions of dollars may be riding on a "fix" (potentially bad one) you make. You had best make it correctly. Being in a hurry sometimes can make things worse than they are, & later it turns up some fixes need to be further fixed - best find that out right first, than have to reissue again later.

"Open Source authors tend to be very honest about and immediately provide fixes for security holes, while Microsoft tends to softpedal and delay." - by JabberWokky (19442) on Saturday January 21, @11:16AM

Microsoft's not "backpedaling or delaying/downplaying", they just explain the facts first, & take time to do their fixes as best they can!

(Especially probably with them having a formal & tracking "software patch/troubleticket/mgt. bureaucracy" type tracking system in place)

See - I know, I have such things in place @ my job, + have to deal with them (slowdown of progress, @ least it appears to be so immediately, but it has reasons)

Yes, & it bothers the users, yes, to an extent, myself, but... it has merit!

(E.G.-> I can make fixes in table driven IS/IT/MIS SQL Server tables I have rights to (production tables) instantly via SQL Server Enterprise Manager or Query Analyzer, but instead, these same changes have to be T-SQL driven & tracked)...

Now, before THAT even happens? The users have to:

1.) Make a formal work request to the HelpDesk

2.) The HelpDesk then issues the work to the appropriate developer (there are many of us)...

3.) Scripts have to be created in T-SQL (for tracking purposes)

4.) Then, the actual work starts for the correction/fix/maintenance, etc.

This is ALL delay. I could do those steps in seconds, if the data is table driven (good MIS/IS/IT apps are usually, for security & state settings imo, & the rest should be Stored Proc driven, & as little as possible client-side program data manipulation as possible)

Again though, it's with good reason - it allows history tracking (plus a script that can be reversed or altered if needed) of who did the work, when, how & what.

I imagine a leviathan like MS has to go thru such things, 10x as much as I do, plus a HELL OF A LOT MORE TESTING would be involved as well!

There are things like software liability involved when you are a commercial software OEM, & that in & of itself can be MILLIONS to insure & be responsible for.

Best take your time & DO IT RIGHT, first time out (as best you can, until the next issue pops up).

APK

P.S.=> I take it you are not a software developer/engineer, because if you were professionally for any entity of size or one that deals with SENSITIVE data? You'd know why those slowdowns exist... for many reasons, some I did not even hit on, above... apk

Re:This is why I use Windows (4, Informative)

JabberWokky (19442) | more than 8 years ago | (#14526919)

I take it you are not a software developer/engineer, because if you were professionally for any entity of size or one that deals with SENSITIVE data? You'd know why those slowdowns exist... for many reasons, some I did not even hit on, above...

You make many many assumptions. I'm the CIO of a publishing company, I had my MCSE years ago, I am happy with Windows and Microsoft and just signed off on another 40 workstations with Windows on them. I am in no way anti-Microsoft, nor am I a teenager who think Linux is some sort of sacred ground. I use Linux personally because I've been using some variant of Unix for close to 25 years now.

That said, the question was what makes Microsoft have a bad reputation when it comes to bug fixes while Linux (meaning the distros) does not. Today systems are all online, and a critical feature of any operating system is the speed of the support to reliably fix security holes, especially those which can be remotely exploited.

We are talking about why Microsoft has a perception of being worse about bugs than Linux (or at least I was responding to that). I still maintain that, to quote myself, "Open Source authors tend to be very honest about and immediately provide fixes for security holes, while Microsoft tends to softpedal and delay". Microsoft has been addressing this aggressively recently, with various announcements that they are refocusing on bugs, and more regular updates. Still, their lackadaisical attitude toward security in the past has cast a long shadow that taints them today, both with a poor codebase and a reputation for poor support for bug fixes. Plus, as was my initial point, open source tends to provide reliable fixes quicker -- for whatever reason -- which not only garners respect for their corner, but also makes Microsoft look slow... and that affect perception.

--
Evan

Re:This is why I use Windows (0)

DogDude (805747) | more than 8 years ago | (#14526719)

... within hours, updates were packaged, tested ...

Really? You really think that a big team of developers got together in the wee hours of the morning (in the US, at least), and tested the patch in thousands of different configurations? Are you sure that this patch doesn't break something else?

Personally, I'd rather wait a bit and get a patch that I know has been thoroughly tested. I can't afford to have a hastily written patch bring down any of my machines.

Re:This is why I use Windows (0)

Anonymous Coward | more than 8 years ago | (#14526795)

The main difference is that Microsoft often takes weeks or months to release patches, all the while trying to downplay the significance of the bug. With this, the patch was available almost immediately, and within hours, updates were packaged, tested and in distro repositories

No, I think you are missing the main difference(s). Let's contrast this with the most recent vulnerability discovered in Windows.

In Windows' case, an exploit was discovered in the wild. Only by dissecting the exploit and discovering exactly how it commandeered systems did they discover that there was a vulnerability in the way Windows handled WMF files. Only then did Microsoft spring (crawl, stumble, lurch drunkenly ??) into action to discover a solution. In the end, the exact cause was because of a design decision made to handle exceptions or errors in WMF files.

In this KDE case, the vulnerability was discovered by Maksim Orlovich. A quick search on his name shows that he is a prolific hacker of KDE code. Although I don't know the exact circumstances, it is quite likely that he discovered the problem while working with the source code doing something else. In this case, the error seemed to be a coding error. Others here call it a stupid programming error, regardless, the fix was simple and implemented quickly.

Re:This is why I use Windows (0)

Stan Vassilev (939229) | more than 8 years ago | (#14526824)

"The problem is not the bugs, it is how they are handled."

Well if it's a Microsoft bug, the problem is the bugs, if it's KDE bug, it's how they are handled, but if Microsoft starts handling them like OSS handles them, we know reasons will be found to bash MS anyway.

Because the problem isn't in bugs or handling or anything: the problem is in that it's too easy to twist so that Microsoft always looks bad.

Re:This is why I use Windows (2, Insightful)

BuR4N (512430) | more than 8 years ago | (#14526923)

"With this, the patch was available almost immediately, and within hours"

If its avilable within hours someone have failed to test it properly, there is thousands of combinations of hardware and software and god knows what a quick and dirty patch can break.

Re:This is why I use Windows (1, Insightful)

aaronl (43811) | more than 8 years ago | (#14526641)

Unfortunately, you're very correct, and you see it throughout the popular OSS projects.

The projects from Mozilla are far from "finished", but they add features instead of fixing bugs. We wind up with a somewhat slow UI, a huge memory footprint, and random crashes. The OpenOffice people are too busy needlessly throwing in features and coding Java into a C++ program instead of finishish the version. We wind up with a slow UI, very slow startup time, a huge memory footprint, and reliance on C libraries, C++ libraries, *and* the Java runtime.

I still use things like Firefox and OpenOffice, because they're still the best ones out there, but I have no devotion to them. When the devs stop playing happy little games throwing in a bunch of code from their favorite language of the year, or building an IRC client in, or messing about with plugin interfaces well after version 1.0, and just finish what they have first, then I'll be very happy. Instead we have tons of software that are *almost* done.

Exactly what you mentioned about the Linux kernel doing this has a lot of people unhappy. On the few Linux server I keep around, I use Slackware and 2.4.x kernels. I don't want the machines to crash, so I don't trust 2.6.x. They don't need new features; they need stable code, and the constant feature-add game doesn't get me stable code.

What these games *have* done is get a lot of people, such as myself, to use more stable platforms. Some people choose a Linux distro like Debian. Many others just jumped over to BSD or Solaris.

So, in the end, I'm willing to run Linux on my workstation, but I try to avoid running it on my servers. I want to minimize the potential for that server to crash, and Linux isn't giving me that anymore. About two years ago, I waved goodbye to Linux, after having used it heavily since 1993.

OS? No. (1)

nurb432 (527695) | more than 8 years ago | (#14526409)

While i realize you were trying to be funny, KDE doesnt tie the browser into any OS. its tied into the DE.. Quite a difference there. ( still potentially dangerous, as the DE has a lot of rights at the system level, but it is different )

KJS is also used by Apple in Safari (0)

Anonymous Coward | more than 8 years ago | (#14526304)

At least 3 years ago, anyway.

Re:KJS is also used by Apple in Safari (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14526346)

The obvious question is - does the same bug exists in the KJS-derived Safari Javascript [apple.com] ?

Re:KJS is also used by Apple in Safari (2, Informative)

Anonymous Coward | more than 8 years ago | (#14526411)

More Safari/KJS info. [apple.com] I took a look at the Apple code. It appears the URI encode/decode function were completely rewritten and have no resemblance to the KDE/KJS original functions.

JavaScriptCore

JavaScriptCore is a framework for Mac OS X that takes the cross-platform KJS library (part of the KDE project), combines it with the PCRE regular expression library, and makes it work with Mac OS X technologies.

The current version of JavaScriptCore is based on the KJS library from KDE 3.0.2. The few changes that are specific to JavaScriptCore are marked with #if APPLE_CHANGES. Other changes to improve performance and web page compatibility are intended for integration into future versions of the KJS library.

Re:KJS is also used by Apple in Safari (2, Insightful)

Mattintosh (758112) | more than 8 years ago | (#14526418)

Probably, but expect silence until Tuesday, when a patch will suddenly appear to bump Safari to 2.0.4.

Bullet-proof JS (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14526308)

Man! It seems that no one can build a bullet-proof JS interpreter

Re:Bullet-proof JS (1)

Elektroschock (659467) | more than 8 years ago | (#14526484)

There is nothing wrong about this news.

If developers do not find the leaks attackers will also not find them. When leaks are found they are quickly fixed. So no problem.

The real question is how many leaks are left.

Re:Bullet-proof JS (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14526850)

First : Developers almost never search for those leaks which mean attackers find them before developers.
Second : I hate wasting my life patching the OS on my computer.

Variable names? (3, Insightful)

ajiva (156759) | more than 8 years ago | (#14526317)

Who has variables named "vvvv" and "uuuuu"? At least make them somewhat useful, even if they are temporary variables.

In actuality, this really means... (0)

Anonymous Coward | more than 8 years ago | (#14526456)

...that for multiple reasons, KDE sucks balls. KDE sucks KID balls, so it must be a paedophile.

Yes people, look at this (3, Informative)

rbarreira (836272) | more than 8 years ago | (#14526781)

This [kde.org] is the text of the patch. Look at the nice variable names :P

And this [kde.org] is the contents of the guilty source code file. It's filled with such variable names and obfuscated code! Some variable names -> zzzzzzz, yyyyy, xx, uuuuu.

I really never thought that this kind of code was in a project such as KDE. I assume that it's a fairly unique file, but even then it's just really stupid...

Re:Yes people, look at this (1)

pilkul (667659) | more than 8 years ago | (#14526946)

Meh, there's ugly code like this in most large projects. Think how bad it must be in codebases which aren't open for everyone to see.

Well, I used to love KDE... (0, Flamebait)

TyrelHaveman (159881) | more than 8 years ago | (#14526812)

I used to love KDE until I saw this. What the **** is wrong with their engineers? ****

Right thats it! (5, Funny)

trash eighty (457611) | more than 8 years ago | (#14526325)

I'm going back to Windows!!!

Re:Right thats it! (2, Funny)

Anonymous Coward | more than 8 years ago | (#14526342)

I *know*! This is just another example of how shoddy Windows is, just another buffer overflow in a long line of security travesties that is Microsoft... wait, this is KDE?

*looks at his Kubuntu install*

Uh... clearly this patching shows the inherent superiority of Open Source!

Re:Right thats it! (1)

Zerathdune (912589) | more than 8 years ago | (#14526536)

Uh... clearly this patching shows the inherent superiority of Open Source!

you say this in jest, and while I agree that there are people with this atitude, and it's annoying, the fact remains that by the time we even heard about, there was already a fix. any software is going to have issues, and if this was microsoft software, I might start to think they're considering coming through on that promise about security that gates made so long ago; this kind of response time is pretty impressive.

Re:Right thats it! (0)

Anonymous Coward | more than 8 years ago | (#14526393)

I use GNOME, so I'm not worried by this flaw. On the other hand, when a flaw was found in WMF, all the users of Windows were affected.

Re:Right thats it! (0)

Anonymous Coward | more than 8 years ago | (#14526517)

None of my servers even have X installed, let alone KDE.

This is interesting... (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14526336)

.. because KDE is supposedly developed in the so-called "modern C++" using STL. Perhaps OSS developers should look into using code analysis tools to weed out any unsafe techniques.

how to apply? (1, Funny)

Anonymous Coward | more than 8 years ago | (#14526362)

do i just make the .diff file executable and put a ./ in front when typing out the name of the file in a root shell???

Re:how to apply? (0)

Anonymous Coward | more than 8 years ago | (#14526424)

cd source_dir && patch -p0 the_patch.diff

All the... (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14526365)

And all of the 5 users may possibly be sunk by this. Of course they are the most likely to get the patch but.....

Malicious hackers around the world... (5, Interesting)

Anonymous Coward | more than 8 years ago | (#14526367)

...yawn and pay no heed. Have any vulnerabilities for Konqueror ever actually resulted in exploits in the wild?

Re:Malicious hackers around the world... (1)

BrokenHalo (565198) | more than 8 years ago | (#14526448)

Does anybody even use Konqueror? Can't say I personally know anyone who does...

Re:Malicious hackers around the world... (1)

JamesTRexx (675890) | more than 8 years ago | (#14526584)

I use it all the time with one or two exceptions, for which I use Firefox.
I haven't had any problem with websites from 3.2 or 3.3 on. I've gotten so used to Konqueror that using Firefox seemed weird. :-)

Re:Malicious hackers around the world... (1)

DeafByBeheading (881815) | more than 8 years ago | (#14526646)

Exactly. It hasn't been exploited in the wild because there are no uses of Konqueror in the wild. And they say that security through obsurity is a bad idea... ...

I keed, I keed.

Re:Malicious hackers around the world... (0)

Anonymous Coward | more than 8 years ago | (#14526822)

No, both users always keep fully up-to-date

Ubuntu patched already (5, Informative)

Richard W.M. Jones (591125) | more than 8 years ago | (#14526387)

The patch for this [ubuntu-linux.com] was waiting on my Ubuntu desktop for installation when I got up this morning ...

Rich.

Re:Ubuntu patched already (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14526462)

I'm not sure if "patch" is the correct word, since it basically re-downloads all of the kdelibs and the necessary data which weigh in at 10s of megabytes.
Happily, the debian devels are said to be looking into a way of supplying binary diffs/ deltas of update .debs eventually, which will be nice. Shame it's taken such an incredibly long time, though - MS has had the technology for aeons.

same goes for gentoo (2, Informative)

Anonymous Coward | more than 8 years ago | (#14526773)

kdelibs-3.4.3-r1 and kdelibs-3.5.0-r2 were both released yesterday with the former being marked stable on most archs.

And now the obligatory... (3, Insightful)

Billosaur (927319) | more than 8 years ago | (#14526394)

...nothing to see here... move along...

There are patches already available. Fix it. Move on. Mind you, this is not like what happens with "some other operating systems," where they have to be berated by users into issuing patches...

Re:And now the obligatory... (0)

Anonymous Coward | more than 8 years ago | (#14526487)

Chances are that those users that would berate the makers of the "other operating systems" into making a patch would already be practicing safe computing behaviors and not be at risk to a majority of the vulnerabilities that would need to be patched in the first place. The ones that would be vulnerable because they don't know any better would not be informed enough to demand a patch in the first place.

Re:And now the obligatory... (1, Interesting)

dioscaido (541037) | more than 8 years ago | (#14526505)

While you have a point, this patch obviously didn't get too much review -- decbuf is reallocated using realloc, and as far as I can tell the value is never checked before being dereferenced to make sure the allocation didn't fail. So this patch needs another patch, and it is the kind of thing that 'the other operating systems' wouldn't be able to get away with.

Re:And now the obligatory... (4, Insightful)

Tim C (15259) | more than 8 years ago | (#14526567)

There are patches already available. Fix it. Move on.

There are source patches available. That's fine for you and me, but it's no good for the increasing number of "normal" users who are moving to Linux, who wouldn't be able to apply them if you showed them how. They still have to wait on binary patches from their vendors.

Mind you, this is not like what happens with "some other operating systems," where they have to be berated by users into issuing patches...

That's mostly because the self-same users berated them into only releasing patches once a month at most; they can't have it both ways. I'd also be willing to bet that patches from commercial OS vendors go through rather more rigorous QA processes than this; support contracts and such like make that essential.

Re:And now the obligatory... (1)

Zontar The Mindless (9002) | more than 8 years ago | (#14526892)

SuSE already have patches for this. I would imagine all the other major distros do, too.

Wine's been patched for the WMF thing as well.

And before anybody else says something silly about JavaScript, there's a patch for a Perl buffer overflow, too.

Re:And now the obligatory... (0)

Anonymous Coward | more than 8 years ago | (#14526791)

And here I am, wasting my time patching because of a guy who can't program correctly in the first place and who is too stupid to learn a language that doesn't allow those kind of mistakes.

Re:And now the obligatory... (1)

saskboy (600063) | more than 8 years ago | (#14526909)

I don't *like* patching software. It leaves thousands of CDs and DVDs out there with ticking time bombs, or hunks of rock software that are unsafe to install, without then connecting to highspeed Internet, and downloading the fix. I found Ubuntu's auto-update to be pretty easy to use, but it's still a pain, and forget the ease if you're on dialup.

Stupid crackers...

About the Patch (2, Informative)

robbyjo (315601) | more than 8 years ago | (#14526403)

Patches for both 3.2.x - 3.3.x and 3.4.x-3.5.0 are the same except for the revision number. I think Slashdot got the link switched around.

Although Apple does use some of the Konqueror's core, I believe that the bug does not affect it at all. At least there is no such vulnerable function as in KDE is in their JS core code.

Re:About the Patch (0)

Anonymous Coward | more than 8 years ago | (#14526566)

Well, there's one small difference; some whitespace is different. Run them through diff.

Arrgh (0, Offtopic)

harris s newman (714436) | more than 8 years ago | (#14526407)

I'm installing Gentoo right now...

Arbitrary code with what privileges? (1, Insightful)

orzetto (545509) | more than 8 years ago | (#14526410)

Is it going to be able to run with root privileges or just as a user?

Re:Arbitrary code with what privileges? (3, Insightful)

undeadly (941339) | more than 8 years ago | (#14526532)

Is it going to be able to run with root privileges or just as a user?

Not directly, unless you run as root. On the other hand, local root kernel vulnerabilities may be exploited, and the Linux kernel has new ones discovered frequently.

Re:Arbitrary code with what privileges? (0)

Anonymous Coward | more than 8 years ago | (#14526588)

Liar. When was the last privilege escalation found in the Linux kernel?

Re:Arbitrary code with what privileges? (1)

undeadly (941339) | more than 8 years ago | (#14526718)

Liar. When was the last privilege escalation found in the Linux kernel?

Are you so stupid that you can't go to a Linux distro site and check for security updates?

Re:Arbitrary code with what privileges? (0)

Anonymous Coward | more than 8 years ago | (#14526866)

Well, you are making bold untrue statements...

Rather incompetent (4, Interesting)

velco (521660) | more than 8 years ago | (#14526420)

And the proposed patch leaks if realloc fails and does not check the return value of realloc. *sigh*

Also, one may only wonder why didn't they use std::vector ...

~velco

Re:Rather incompetent (0)

Anonymous Coward | more than 8 years ago | (#14526464)

My exact thought. Can't they use some code analysis tool to look for this kind of stuff?

Even grep would do.

Re:Rather incompetent (2, Interesting)

m50d (797211) | more than 8 years ago | (#14526703)

KDE began in a time when STL support in many C++ compilers wasn't up to much, so for cross-platform capability (always a design goal) they couldn't really rely on it. Not sure whether that has anything to do with this.

Re:Rather incompetent (1)

elendril (15418) | more than 8 years ago | (#14526774)

While checking the results of malloc and realloc is good practice, given than some OSes (like Linux, but it is configurable) almost never return NULL even if they cannot guarante memory will be available (a result of using memory overcommit), it probably won't catch any error and will not prevent a seg. fault.
Moreover, in most cases, if you do not get the memory you need, unless you have coded an alternative to perform the task (very rare), you might as well give up immediately.

Re:Rather incompetent (1)

rbarreira (836272) | more than 8 years ago | (#14526871)

Moreover, in most cases, if you do not get the memory you need, unless you have coded an alternative to perform the task (very rare), you might as well give up immediately.


Give up with a seg fault? Wouldn't it be better to give up with an error?

Re:Rather incompetent (2, Informative)

Dj Offset (260006) | more than 8 years ago | (#14526847)

And the proposed patch leaks if realloc fails and does not check the return value of realloc. *sigh*

Well this is a rather common practice these days.

Working on embedded systems I'm used to checking every malloc(). It is fairly easy to do, but you need to design your application to handle out of memory situations gracefully. That is not as easy depending on what you are trying to do.

On a desktop system this is not as important since you usually have lots of memory and even more virtual memory. The default linux behaviour of overcommiting memory and then later killing some random app if out of memory, often means the memory allocation will not fail at all.

In fact most libraries and apps on your linux installation is not out of memory safe. That includes glibc, Qt, and obviously KDE.

And the question on everybody's lips... (2, Insightful)

Xyde (415798) | more than 8 years ago | (#14526422)

Does this affect Safari?

Crash Konqueror? (0)

Anonymous Coward | more than 8 years ago | (#14526523)

They found a bug that'll crash Konquerer? Will wonders never cease...
One down, about 500 to go.

Crashiest Browser Evar.

Re:Crash Konqueror? (1)

Skiron (735617) | more than 8 years ago | (#14526621)

The only site that crashes my Knoq is ebay - thank god...

Plugging the "arbitrary code" hole? (2, Interesting)

G4from128k (686170) | more than 8 years ago | (#14526525)

So many vulnerabilities seem to involve writing past the extents of a data structure (stack, heap, buffer, etc.). But how does this lead to the ability to execute arbitrary code? It would seem that the system must lack an ability to clearly segment memory in the distinct data spaces or to distinguish between data and code.

Perhaps machines need a more secure memory management scheme (such as an execute disable bit [intel.com] or Data Execution Prevention [microsoft.com] ).

Yes, malware could still crash an application or machine (to the extent that the system has inadequate input checking and nongraceful failure modes) but arbitrary code execution wouldn't be possible.

Why don't people use these concepts to plug a vast range of vulnerabilities?

Re:Plugging the "arbitrary code" hole? (1)

ShadowFlyP (540489) | more than 8 years ago | (#14526577)

Even a no-execute bit will not prevent all of these types of a problems in C++. Classes have a pointer to the virtual function table which point to the address of the real function. Any heap-overflow could modify a classes pointer to the virtual function table to point to a different table. This table can then have a pointer to any function of your choosing, such as the "system" function.

This is just a THEORY but... (1)

erroneus (253617) | more than 8 years ago | (#14526531)

...what if it was actually a backdoor placed there intentionally by secret society agents?

Okay I'm kidding... really... go look at the source code or something.

Re:This is just a THEORY but... (1)

daikokatana (845609) | more than 8 years ago | (#14526608)

...what if it was actually a backdoor placed there intentionally by secret society agents?

It's actually placed there by the RAND Corp., in conjunction with the Saucer People, under the supervision of the Reverse Vampires, who are...

Always remember: a Simpsons quote a day, keeps the doctor away!

Queue Linux Defense Responses! (3, Funny)

Anonymous Coward | more than 8 years ago | (#14526568)

Alright, here come the slashdot standard defense responses the moment anything is found bad about something related to Linux:

1. Oh, but microsoft takes longer to patch
2. But it is still more secure than windows!
3. Ya, old news, it's already patched!
4. And, this isn't an OS problem it's the shell, windowing, daemon, whatever etc!

And hell yes, I will post this Anonymously as I expect this to be moded as Troll within 5 minutes and I got no karma to burn! :)

Re:Queue Linux Defense Responses! (1)

Skiron (735617) | more than 8 years ago | (#14526613)

This isn't a Linux issue - this is a KDE issue.

You MS guys deliberately (or ignorantly) forget that.

Nick

Re:Queue Linux Defense Responses! (2, Interesting)

laffer1 (701823) | more than 8 years ago | (#14526740)

Yes, but most linux distros ship with an X11 desktop environment. I can't think of too many besides gentoo that don't come with either KDE or gnome. Its also a very common add-on to distros without one or bsd's that run in desktop mode. And if you think about it, running a gui is a comparable was to look at windows. Windows = command interpreter + kernel + gui
Linux distro = command interpreter (login shell) + kernel (linux itself) + gui (x11 & window manager or desktop)

In order to compare Windows and Linux from a desktop point of view, you must look at the whole package. An end user would.

Of course you are right that its not a linux specific issue. It can affect linux distros, *bsd, or UNIX distros that include or have the environment installed. But, think of it this way.. it can affect all *nix installs that have KDE which is very popular.

As for his list, I found it quite amusing. I'm not MS fanboy, but you have to admit that many people have this perception that MS has a lot more bugs. I think Microsoft screws up patching quite a bit. If you look at original vulnerabilities though, its no different than a full linux distro with gui (redhat for example), or OSX. I've had to patch my mac and freebsd machine just as much as my windows box lately. (freebsd has has 5 holes in the core os recently plus any ports like firefox or KDE)

I think its about time to realize that open source has grown up. It has just as many holes as closed source software. People are starting to find them more often. Look at firefox. I no longer use firefox because i feel safer. I use it because I like the UI. The difference is that most OSS holes don't cause code to run as root since *nix developers are more likely to run code as a user vs system (root).

Security minded people often forget that programmers are NOT taught about security in college and its not like the local BN has a book called "learn to code safely and check your input." There are a few security books out there, but they often are not written for everyday programmers. In college, I was taught what a buffer overflow is and told to check input. I've never been given an example besides a simple x > 2 check example in any class. Once a professor mentioned regular expressions, but didn't describe what they did. Its quite sad. I don't see how we can expect closed or open source developers to code securely if we don't teach them.

Re:Queue Linux Defense Responses! (0)

Anonymous Coward | more than 8 years ago | (#14526762)

In all fairness, those responses are largely justified.

The first thing my computer did when I turned it on today was tell me that security updates were available. 2 clicks and a password (I know, the public will never accept that amount of hassle), and it was installing in the background, while I ripped a CD, got photos off my camera (evidence from the night before :) ) and checked my email.

Then I caught up with the news, and several hours later slashdot informed me (via RSS) that KDE was vulnerable.

This is old, and amusing, news. For Ubuntu users at least.

[my "not a bot" word was "cleaved". Can anyone think of another word apart from "cleave" which is a homoantonym (means the opposite to itself)?]

what bug?? (-1, Troll)

carlosGames (943841) | more than 8 years ago | (#14526585)

hmm.. wait :) thanks to open source this doesnt affects me, i preffer e17 and firefox so .... go to hell khtml windoze explorer like engine ...

Worried about this for years now... (0)

Anonymous Coward | more than 8 years ago | (#14526668)

I've been worried about this sort of thing for years now... ever since I noticed the obvious similarities between konqueror and IE (wait, it's a web browser... no wait it's a file manager... no, you're both right).

It's always a bad idea to have more OS integration than may be needed in a web browser because of the OPC factor (Other Peoples Code).

What about Safari? (1)

Barto (467793) | more than 8 years ago | (#14526756)

Apple's WebCore is a fork of KHTML and KJS, does anyone have information if Safari/WebCore is effected by this vulnerability?

Just goes to show... (2, Insightful)

m50d (797211) | more than 8 years ago | (#14526759)

that even with a relatively clean codebase, bugs happen. Konqueror is good code compared to a lot of things, but I guess complexity is unavoidable, and that leads to things like this.

I wouldn't call it clean (1)

Chemisor (97276) | more than 8 years ago | (#14526841)

If you actually look at the code you'll see plenty of bad coding practices. vvvv and uuuuu as variable names? malloc and free in C++ code? Cut-n-paste code where a loop ought to be? It looks like something that I might find on the "Daily WTF" site.

Close call, good thing nobody is using linux then (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14526869)

lolz
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?