KDE 3.3.1 was released on October 12th, 2004. Read the official announcement.
This page is no longer maintained. Currently, only KDE 4.2.0
and newer are maintained. Please have a look at the
KDE 4.4.0 Info Page instead.
Security Issues
Please report possible problems to security@kde.org.
Patches for the issues mentioned below are available from
ftp://ftp.kde.org/pub/kde/security_patches
unless stated otherwise.
-
KPDF contains multiple integer overflow and integer arithmetic flaws that may make it possible
to execute arbitrary code on the client machine via remotely supplied PDF files.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.3.1 are affected.
-
KDE may unexpectedly expose user provided passwords in certain cases, especially passwords for
SMB shares.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.3.2 are affected.
-
KFax contains several vulnerabilities that may cause specially crafted fax files to trigger
buffer overflows and execute arbitrary code.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.3.1 are affected.
No source patches are available for this problem, users are advised to either remove KFax or
to upgrade to KDE 3.3.2.
-
The Konqueror webbrowser allows websites to load webpages into
a window or tab currently used by another website.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.3.2 are affected.
-
Two flaws in the Konqueror webbrowser make it possible to by pass
the sandbox environment which is used to run Java-applets.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.3.1 are affected.
-
kpdf contains a buffer overflow in its xpdf-based code which can be triggered
by a specially crafted pdf file.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.3.2 are affected.
-
ftp kioslave contains a vulnerability which allows to inject arbitrary ftp or
smtp commands.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.3.2 are affected.
-
kpdf contains a buffer overflow in its xpdf-based code which can be triggered
by a specially crafted pdf file.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.3.2 are affected.
-
fliccd of kdeedu/kstars/indi contains multiple buffer overflow vulnerabilites.
Read the detailed advisory.
All versions of KDE 3.3 up to and including KDE 3.3.2 are affected.
-
A local user can lock up the dcopserver of arbitrary other users
on the same machine by stalling the DCOP authentication process.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.3.2 are affected.
-
International Domain Name (IDN) support in Konqueror/KDE makes
KDE vulnerable to a phishing technique known as a Homograph attack.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.3.2 are affected.
-
The dcopidlng script is vulnerable to symlink attacks, potentially
allowing a local user to overwrite arbitrary files of a user when
the script is run on behalf of that user. This only affects users
who compile KDE or KDE applications themselves.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.3.2 are affected.
-
The kdewebdev tool Kommander is vulnerable to unconfirmed execution
of code from untrusted locations.
Read the detailed advisory.
All versions of KDE between KDE 3.2 and KDE 3.4.0 are affected.
-
KImgio, the KDE image loader plugins, are vulnerable to several input
validation errors, possibly allowing to execute arbitrary code.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.4.0 are affected.
-
The Kate KPart (used by the applications kate and kwrite, possibly others)
generates a backup file with default permissions upon saving. Depending
on the setup, this could cause file content leak to local and remote
(due to network transparency) users.
Read the detailed advisory.
KDE 3.2.x up to including KDE 3.4.0 are affected.
-
The Gadu-Gadu protocol handler of Kopete 3.3 and above contains a copy
of libgadu, that is used if there is no system installed libgadu library.
Multiple integer overflow vulnerabilities have been found in libgadu.
Read the detailed advisory.
KDE 3.3.x up to including KDE 3.4.1 are affected.
-
Kpdf shares code with xpdf, which contains a vulnerability that
can cause it to write a temp file with almost infinite size to $TMPDIR
upon parsing malformed PDF documents.
detailed advisory.
All KDE versions from 3.3.1 up to and including KDE 3.4.1 are affected.
-
The langen2kvtml script (included in kdeedu/kvoctrain) contains
multiple temp file generation vulnerabilities.
Read the detailed advisory.
KDE 3.0.x up to including KDE 3.4.2 are affected.
-
The kcheckpass utility contains on certain platforms a local
root vulnerability.
Read the detailed advisory.
KDE 3.2.0 up to including KDE 3.4.2 are affected.
-
The kcheckpass utility contains on certain platforms a local
root vulnerability.
Read the detailed advisory.
KDE 3.2.0 up to including KDE 3.4.2 are affected.
-
kpdf contains several buffer overflows in its xpdf-based code which can be triggered
by a specially crafted pdf file.
Read the detailed advisory.
All versions of KDE up to and including KDE 3.5.0 are affected.
-
kjs contains a heap based buffer overflow when decoding certain malcrafted utf8
uri sequences.
Read the detailed advisory.
All versions of KDE starting with KDE 3.2.0 up to and including KDE 3.5.0 are affected.
-
kpdf contains a buffer overflow in its xpdf-based code which can be triggered
by a specially crafted pdf file.
Read the detailed advisory.
All versions of KDE 3.3.0 up to and including KDE 3.5.1 are affected.
-
kpdf contains a buffer overflow in its xpdf-based code which can be triggered
by a specially crafted pdf file.
Read the detailed advisory.
All versions of KDE 3.3.0 up to and including KDE 3.3.2 are affected.
-
KDM contains a symlink attack vulnerability that allows a normal
user to read files from other users including root.
Read the detailed advisory.
All versions of KDE starting with KDE 3.2.0 up to and including KDE 3.5.2
are affected.
Please check the bug database
before filing any bug reports. Also check for possible updates on this page
that might describe or fix your problem.
FAQ
See the KDE FAQ for any specific
questions you may have. Questions about Konqueror should be directed
to the Konqueror FAQ
and sound related questions are answered in the FAQ of
the aRts Project
Download and Installation
Library Requirements.
KDE 3.3 requires or benefits
from the given list of libraries, most of which should be already installed
on your system or available from your OS CD or your vendor's website.
The complete source code for KDE 3.3.1 is available for download:
The Konstruct build toolset can help you
downloading and installing these tarballs.
Binary packages
Some Linux/UNIX OS vendors have kindly provided binary packages of
KDE 3.3 for some versions of their distribution, and in other cases
community volunteers have done so.
Some of these binary packages are available for free download from KDE's
http or
FTP mirrors.
At the time of this release, pre-compiled packages are available for:
Additional binary packages might become available in the coming weeks,
as well as updates to the current packages.
Developer Info
If you need help porting your application to KDE 3.x see the
porting guide or subscribe to the
KDE Devel Mailinglist
to ask specific questions about porting your applications.
There is also info on the architecture
and the
programming interface of KDE 3.3.