SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been attempting to find the vulnerability/bug/patch history of KDE 4.14.3 (because it is used in Slackware 14.2), in order to see whether patches for KDE 4.14.3 are still being created and released.
I have attempted several different searches on LinuxQuestions, but found no mentions of vulnerabilities of KDE 4.14.
I did some searching on the Internet, and found no mention of vulnerabilities of KDE 4.14. What I did find is that someone wrote KDE 4.14.3 was released on 2014/Nov/11, and that it is the most recent version in the KDE 4 series, and that development has been discontinued (date not specified).
Does anyone know whether patches are still being created and released for KDE 4.14.3?
There's been a few updates in the 14.2 changelog, with the latest security fix being:
Code:
Thu Aug 8 05:25:56 UTC 2019
patches/packages/kdelibs-4.14.38-x86_64-1_slack14.2.txz: Upgraded.
kconfig: malicious .desktop files (and others) would execute code.
For more information, see:
https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
(* Security fix *)
But you should pretty much expect that KDE4 is EOL and won't be receiving any patches or updates as all their development is with Plasma5. I did have a search through the CVE database for KDE and that came up with some results. It might be a good place to start.
in order to see whether patches for KDE 4.14.3 are still being created and released.
No, they aren't. KDE has long gone to KDE/Plasma 5 and very sporadic some bug fixes get backported, like kdelibs-4.14.38, kdepim-4.14.10 and kdepimlibs-4.14.10 (all in november last year), but these are the only ones since 2016
There additional patches on top of KDE 4.14.38 floating out there. I discovered this when I hit a bug in KMyMoney (https://bugs.kde.org/show_bug.cgi?id=412366). Additional patches are here (I'm not using any of them):
Thank you for this URL! I see they list quite a few flaws. As you wrote, I also do not expect these to be fixed. So, I will remove from my computers the Slackware packages which contain those programs. :-(
Since there is no expectation of the pieces of KDE 4.14.3 being repaired/patched, then for any computer which is ever used with the Internet the only reasonable course of action is to remove the offending programs. I think these should be removed:
Code:
CVE-2020-9359 KDE Okular before 1.10.0
CVE-2020-11880 KDE KMail before 19.12.3
CVE-2019-7443 KDE KAuth before 5.55
CVE-2019-14744 KDE Frameworks KConfig
before 5.61.0
CVE-2019-10734 In KDE Trojita 0.7
CVE-2019-10732 In KDE KMail 5.2.3
CVE-2018-6791 KDE Plasma Workspace
before 5.12.0
CVE-2018-6790 KDE Plasma Workspace
before 5.12.0
CVE-2018-19120 The HTML thumbnailer in
KDE Applications
before 18.12.
CVE-2018-10380 kwallet-pam in KDE
KWallet before 5.12.6
CVE-2017-9604 KDE kmail before 5.5.2
and messagelib before
5.5.2, as distributed in
KDE Applications before
17.04.2
CVE-2016-6232 KArchive before 5.24
CVE-2016-3100 kinit in KDE Frameworks
before 5.23.0
CVE-2015-1308 kde-workspace 4.2.0 and
plasma-workspace before
5.1.95
CVE-2015-1307 plasma-workspace before
5.1.95
CVE-2014-8878 KDE KMail
CVE-2014-8600 KDE-Runtime 4.14.3 and
earlier
After I remove the above pieces of KDE 4.14.3, I wonder how much of the remainder of KDE will continue to function?
Since there is no expectation of the pieces of KDE 4.14.3 being repaired/patched, then for any computer which is ever used with the Internet the only reasonable course of action is to remove the offending programs.
I don't think this is a reasonable course of action considering many of these have nothing to do with being connected to the internet and many are not automatic entry points into the system. Ideally, the best option would be to get -current on Plasma5 and possibly find fixes for KDE4 on 14.2 (possibly pull them from other projects), but none of these are bad enough to warrant complete removal of the programs. The worst offender is probably kmail/trojita, but it has to be the perfect storm of events and all it does is leak the contents of the encrypted email if you happen to reply to the attackers email. The karchive bug can be
red = Valid concern if connected to internet and using program
orange = If certain conditions are met when using program, could be valid. Easily bypass bug if aware of issue
yellow = Internet is not required for this vulnerability
green = 14.2 and -current aren't affected if fully up-to-date
Quote:
CVE-2020-9359 KDE Okular before 1.10.0 -- Don't click on links in PDFs.
CVE-2020-11880 KDE KMail before 19.12.3 -- If you click a mailto link, make sure that only files you want to include are attached.
CVE-2019-7443 KDE KAuth before 5.55 -- Has nothing to do with connecting to the Internet. Your machine could be affected regardless.
CVE-2019-14744 KDE Frameworks KConfig before 5.61.0 -- Already patched on 14.2 and -current.
CVE-2019-10734 In KDE Trojita 0.7 -- Valid flaw if connected to the Internet and using program and encrypted emails make their way to unintended recipients.
CVE-2019-10732 In KDE KMail 5.2.3 -- Valid flaw if connected to the Internet and using program and encrypted emails make their way to unintended recipients..
CVE-2018-6791 KDE Plasma Workspace before 5.12.0 -- Don't use random thumbdrives.
CVE-2018-6790 KDE Plasma Workspace before 5.12.0 -- Valid concern if using the internet as it can disclose your IP. Ensure you have a good firewall.
CVE-2018-19120 The HTML thumbnailer in KDE Applications before 18.12. -- Disable html previews.
CVE-2018-10380 kwallet-pam in KDE KWallet before 5.12.6 -- Slackware doesn't include PAM in 14.2, and it doesn't seem like kwallet was recompiled to support PAM in -current (but I'm no KDE expert and it could be a part of kde-workspace)
CVE-2017-9604 KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2 -- Only applies when trying to encrypt files when using the "Send Later" feature and it just doesn't encrypt the email, which can allow sniffers to get it.
CVE-2016-6232 KArchive before 5.24 -- Valid issue if connected to the internet and using KArchive to open downloaded archives. Could overwrite user files or system files if ran as root.
CVE-2016-3100 kinit in KDE Frameworks before 5.23.0 -- Allows *local users* to potentially gain access, nothing to do with the Internet.
CVE-2015-1308 kde-workspace 4.2.0 and plasma-workspace before 5.1.95 -- 14.2 and -current are NOT affected.
CVE-2015-1307 plasma-workspace before 5.1.95 -- No Slackware version is affected since none contain Plasma5. ktown has long been fixed.
CVE-2014-8878 KDE KMail -- 14.2 and -current are NOT affected.
CVE-2014-8600 KDE-Runtime 4.14.3 and earlier -- 14.2 and -current are NOT affected.
I think what's often confusing is that for older software, sometimes we'll look at CVE databases and see that there are no new vulnerabilities reported, and assume that our software is therefore safe. The problem with that is that, with software that is explicitly EOL such as KDE4, vulnerabilities aren't being actively *looked for*, so IMO it should be assumed that the software is completely unsupported and *could* be completely insecure.
There's little reason on a server setup to have KDE installed at all, so I would delete the entire kde4 packageset in 14.2 from any server systems that have a full Slackware install deployed.
On desktop workstations? I've moved pretty much all of mine to -current so I can't really say what I would personally do under those circumstances. I can't see any security vulnerabilities that exist doing something so severe as to cause panic, but to each their own I guess.
I realize I wrote "any computer which is ever used with the Internet", however to me this includes more than some people might expect --- and I was not thinking only of me and my computers (intending to have a thread which is useful to many people). For example, it is for most people a common occurrence to load a webpage with JavaScript code in it. According to my understanding JavaScript is able to cause local software to run on the computer, and if the local software has a vulnerability, then it may be exploited by the JavaScript. (As I understand it, JavaScript is these days the primary vector by which malicious software is installed on a computer.)
Another consideration is sneakernet. I do not want any ransomware nor other malicious software getting from the Internet to any of my computers, so I consider to be important vulnerabilities such as:
Quote:
CVE-2018-6791 An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder.
In my opinion, the method used for deploying Stuxnet could easily be used for deploying other malicious software. In a rather different situation, the malicious software was in the firmware of a printer, and it attacked the computer through the printer cable; these days the vector could also be: an external hard-drive, a USB WiFi device, an SD card, &c.
On a different topic, it appears that "plasma" was around before the "Plasma5" version. I am not familiar with either of them, however I see in the kde/tagfile for Slackware 14.2 "kdeplasma-addons" and "plasma-nm", and from this I deduce that some variety of "plasma" existed in at least some part of the KDE 4.14.3 software. So, I look with askance at the CVE vulnerabilities which mention plasma.
Also, I agree with "poprocks" when he points out, "I think what's often confusing is that for older software, sometimes we'll look at CVE databases and see that there are no new vulnerabilities reported, and assume that our software is therefore safe. The problem with that is that, with software that is explicitly EOL such as KDE4, vulnerabilities aren't being actively *looked for*, so IMO it should be assumed that the software is completely unsupported and *could* be completely insecure."
For me in my situation, I have neither the knowledge nor the time to fix KDE4. Also, I do not want to run Slackware-current, because its software churn is not reasonably compatible with my life (so, I am eagerly awaiting Slackware 14.3 or 15.0).
On a different topic, it appears that "plasma" was around before the "Plasma5" version. I am not familiar with either of them, however I see in the kde/tagfile for Slackware 14.2 "kdeplasma-addons" and "plasma-nm", and from this I deduce that some variety of "plasma" existed in at least some part of the KDE 4.14.3 software.
Yes, plasma was used as a tag for some of the later additions (and versions) to the KDE 4 desktop.
In 5 it got completely separated out from the rest of the KDE toolkit and applications, so it became the desktop name
Plasma 5 (the desktop, not called KDE anymore)
KDE 5 Frameworks
KDE 5 Applications
KDE Neon
etc, all different products with their own versioning
I realize I wrote "any computer which is ever used with the Internet", however to me this includes more than some people might expect --- and I was not thinking only of me and my computers (intending to have a thread which is useful to many people). For example, it is for most people a common occurrence to load a webpage with JavaScript code in it. According to my understanding JavaScript is able to cause local software to run on the computer, and if the local software has a vulnerability, then it may be exploited by the JavaScript. (As I understand it, JavaScript is these days the primary vector by which malicious software is installed on a computer.)
One of my goals was to point out that many of these bugs have nothing to do with connecting to the internet. If you use the software some of these vulnerabilities don't require any internet access. The javascript vulnerability above doesn't have any ability to get into the system, it can just do some minor things like add bookmarks for a website. This is why they rated the severity as minor.
Quote:
Originally Posted by baumei
Another consideration is sneakernet. I do not want any ransomware nor other malicious software getting from the Internet to any of my computers, so I consider to be important vulnerabilities such as:
In my opinion, the method used for deploying Stuxnet could easily be used for deploying other malicious software. In a rather different situation, the malicious software was in the firmware of a printer, and it attacked the computer through the printer cable; these days the vector could also be: an external hard-drive, a USB WiFi device, an SD card, &c.
This is definitely a valid concern, but there are a lot more serious concerns with untrusted thumbdrives that has nothing to do with the software you run on your computer. You just flatout, should not plug in an untrusted device. The last time I plugged in a device that wasn't straight from the manufacturer was when my wife and I got our wedding photos back in 2014, but it came from our wedding photographer, so hardly untrusted.
Quote:
Originally Posted by baumei
On a different topic, it appears that "plasma" was around before the "Plasma5" version. I am not familiar with either of them, however I see in the kde/tagfile for Slackware 14.2 "kdeplasma-addons" and "plasma-nm", and from this I deduce that some variety of "plasma" existed in at least some part of the KDE 4.14.3 software. So, I look with askance at the CVE vulnerabilities which mention plasma.
plasma-workspace did not exist in software form before Plasma5. I imagine some of it came from parts of KDE4, but that CVE is tied to plasma-workspace, so I imagine the same vulnerability doesn't exist in KDE4 or they would've mentioned the package it's tied to.
Quote:
Originally Posted by baumei
Also, I agree with "poprocks" when he points out, "I think what's often confusing is that for older software, sometimes we'll look at CVE databases and see that there are no new vulnerabilities reported, and assume that our software is therefore safe. The problem with that is that, with software that is explicitly EOL such as KDE4, vulnerabilities aren't being actively *looked for*, so IMO it should be assumed that the software is completely unsupported and *could* be completely insecure."
This is also true. Less tested code is unlikely to see new bugs disclosed. But at the same time, KDE4 was used for quite some time before moving onto Plasma5, so it is reasonable to think that many bugs were found and fixed. It is also likely that the various nefarious people are there aren't going to be targeting KDE4 since many have already moved onto Plasma5, so it's less likely that unfound exploits would be found unless they also applied to Plasam5.
Quote:
Originally Posted by baumei
For me in my situation, I have neither the knowledge nor the time to fix KDE4. Also, I do not want to run Slackware-current, because its software churn is not reasonably compatible with my life (so, I am eagerly awaiting Slackware 14.3 or 15.0).
This is the reason I don't like to run -current. I don't have the time to administer my computer as much as is needed to properly use -current. But I don't think you'd need to take the drastic measure of removing KDE4 just because some vulnerabilities exist for it. If they were serious enough to leave you wide open and not something you can work around, then maybe you should stop using it or uninstall it, but that isn't the case with the known vulnerabilities for KDE4. They either are minor issues or easy to workaround.
I was looking through the Slackware 14.2 package descriptions for KDE, and I found:
Code:
kde-baseapps: kde-baseapps (KDE core
kde-baseapps: applications and files)
kde-baseapps:
kde-baseapps: This package provides the
kde-baseapps: core applications and
kde-baseapps: infrastructure files for
kde-baseapps: the KDE Plasma Desktop.
and
Code:
kde-workspace: kde-workspace (KDE Plasma
kde-workspace: Desktop)
kde-workspace:
kde-workspace: This package provides the
kde-workspace: essential parts of the
kde-workspace: KDE Plasma Desktop that
kde-workspace: are presented to the user.
and
Code:
kdeplasma-addons: kdeplasma-addons (Plasma
kdeplasma-addons: addons for KDE)
kdeplasma-addons:
kdeplasma-addons: Plasmoids (or widgets)
kdeplasma-addons: for the KDE Plasma
kdeplasma-addons: Desktop shell.
and
Code:
kscreen: kscreen (KDE screen management)
kscreen:
kscreen: KScreen is the new screen
kscreen: management software for KDE
kscreen: Plasma Workspaces which tries
kscreen: to be as magic and automatic as
kscreen: possible for users with basic
kscreen: needs and easy to configure for
kscreen: those who want special setups.
and
Code:
oxygen-icons: oxygen-icons (Oxygen theme
oxygen-icons: for the KDE Plasma Desktop)
oxygen-icons:
oxygen-icons: Oxygen provides a complete
oxygen-icons: and modern icon theme for
oxygen-icons: KDE.
and
Code:
plasma-nm: plasma-nm (KDE
plasma-nm: networkmanagement applet)
plasma-nm:
plasma-nm: This package contains the KDE
plasma-nm: networkmanagement applet.
plasma-nm: This applet is written in QML
plasma-nm: and replaces the old widget
plasma-nm: based networkmanagement applet.
So, it appears to me that the CVE vulnerabilities mentioning "plasma" might include KDE4, depending on the version number of the particular piece of software.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.