LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-07-2020, 08:13 PM   #31
ehartman
Senior Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 1,631

Rep: Reputation: 845Reputation: 845Reputation: 845Reputation: 845Reputation: 845Reputation: 845Reputation: 845

Quote:
Originally Posted by rkelsen View Post
Guys, 14.2 is actively receiving security patches... that includes KDE4.
And ktown for 14.2 is not!
 
1 members found this post helpful.
Old 05-07-2020, 08:27 PM   #32
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 6,962

Rep: Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643
Quote:
Originally Posted by rkelsen View Post
Guys, 14.2 is actively receiving security patches... that includes KDE4.
There are vulnerabilities in 14.2's KDE that have not been patched. This may be due to a lack of patches provided by KDE, a lack of patches available by the community, or the issues are not deemed severe enough to warrant using the patches available or creating new patches for them.

There have only been 5 updates to KDE packages since 14.2 was released. 3 of the updates weren't related to security fixes, just rebuilding to allow multiple TLS versions (Nov 2019). So there have only been 2 security updates for KDE since 14.2 was released with several open vulnerabilities. The first security fix was in August 2019 and the second security fix was in 2017. This leaves several open vulnerabilities, however, they are mostly minor and easy to workaround (which might be why there haven't been updates for them).
 
1 members found this post helpful.
Old 05-08-2020, 12:13 AM   #33
baumei
Member
 
Registered: Feb 2019
Location: USA; North Carolina
Distribution: Slackware!
Posts: 155

Original Poster
Rep: Reputation: 55
As far as I can tell the most recent change to KDE4 in Slackware 14.2 is to "kdelibs-4.14.38".

So, I untarred the source code for "kdelibs-4.14.38". In the library are many pieces of software, and among them are two HTML rendering engines: "khtml" and "kdewebkit". Apparently, Khtml was the original, and WebKit is a fork of Khtml.

In the "khtml" directory is a file named "ChangeLog". The most recent entry in it is dated "2007-10-13".

In the "kdewebkit" directory there is no change-log, however most of the files have a 2009 copyright.

I suppose some people might assert Khtml and WebKit were perfect, and needed no patching. However, I strongly doubt such is the case. In my opinion, this software is way out of date.

Last edited by baumei; 05-08-2020 at 12:15 AM.
 
Old 05-08-2020, 10:59 AM   #34
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 6,962

Rep: Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643
There's no reason to guess based on the extracted source how old things are. KDE's source repos are on github. The source repo as it was when 4.14.38 was released is here.

khtml folder
kdewebkit folder

And with many projects that have moved to git, many times they stop updating the changelogs because that's available in the commit history. The changelog in khtml folder hasn't been updated in 13 years, but the most recent update in the 4.14.38 tarball for that folder was in 2017, and 2015 for kdewebkit. You can click on the history button to see the commits for that folder in chronological order (the most recent first).

Nobody is disputing KDE4 is old. Nobody is disputing that KDE4 has open vulnerabilities (or that there are probably vulnerabilities that haven't been found or published). It is up to the user on deciding whether or not they want to use KDE4, try and find patches and rebuild the vulnerable packages, or use a different WM/DE. Removing KDE is not needed to protect yourself as long as you don't use the afflicted programs, but a user is free to do that as well. 14.2 is VERY unlikely to get bumped to Plasma5 as it would require a lot of updated packages, but it is highly suspected -current will eventually get Plasma5 before 15.0 is released.

Last edited by bassmadrigal; 05-08-2020 at 11:01 AM.
 
3 members found this post helpful.
Old 05-10-2020, 12:14 PM   #35
baumei
Member
 
Registered: Feb 2019
Location: USA; North Carolina
Distribution: Slackware!
Posts: 155

Original Poster
Rep: Reputation: 55
Hi "bassmadrigal",

Thank you for your reply. You have summed up the ideas I was attempting to express:

(A) "Nobody is disputing KDE4 is old."
I also, agree it is old. I never did find a clear record of the day KDE4 was declared end-of-life, however what I did find appears to indicate this was done sometime in 2015. My understanding of the end-of-life declaration is that afterward there would be no improvements to KDE4 by the official developers (perhaps some security patches, but no improvements or new features). As far as I can tell, the developers have done what they said/implied they would do, and I think this is reasonable.

(B) "Nobody is disputing that KDE4 has open vulnerabilities."
I agree that KDE4 has some vulnerabilities which have been issued CVE numbers, and it appears that some of these have not yet been fixed --- oh well, I think this fits with their end-of-life declaration. As you have pointed out, these unresolved CVE entries seem to be relatively minor.

(C) "[...] there are probably vulnerabilities that haven't been found or published."
This idea was a significant factor in prompting my initial posting. I had long known KDE4 was old, and that it was a set of many individual pieces of software. However, I did not know of the security status of KDE4 and/or its components, and the searching I did before my initial posting was not successful. So, I asked on Linux Questions, and the replies were quite helpful. :-)
 
Old 05-14-2020, 10:54 AM   #36
baumei
Member
 
Registered: Feb 2019
Location: USA; North Carolina
Distribution: Slackware!
Posts: 155

Original Poster
Rep: Reputation: 55
Recently, I was reading about "khtml" and "kdewebkit" and found out these HTML engines do not internally handle JavaScript, but use "kjs" for this. All three of these are part of the library "kdelibs-4.14.38".

Looking up on GitHub the "kjs" part of "kdelibs-4.14.38" I find that the last commit was on 2016/Oct/7 (https://github.com/KDE/kdelibs/commits/.../kjs).

It was after 2016 that Meltdown and Spectre and cousins were in the news. Below are some quotes out of some articles about JavaScript and these processor flaws.

Quote:
Security researchers have recently uncovered security issues known as Meltdown and Spectre. These issues apply to all modern processors and allow attackers to gain read access to parts of memory that were meant to be secret. To initiate a Spectre- or Meltdown-based attack, the attacker must be able to run code on the victim’s processor. WebKit is affected because in order to render modern web sites, any web JavaScript engine must allow untrusted JavaScript code to run on the user’s processor. Spectre impacts WebKit directly. Meltdown impacts WebKit because WebKit’s security properties must first be bypassed (via Spectre) before WebKit can be used to mount a Meltdown attack. source for quote on "webkit.org"
Quote:
Both attacks only apply if you run somebody else’s untrusted code on your computer.

For most of us, the only way we do this is by browsing the Web and going to pages that have JavaScript. Major browsers are already limiting the ability for JavaScript to perform precise timing, which will make both attacks impossible. source for quote on "medium.com"
Quote:
There is already some examples online for exploiting CPU speculative execution using JavaScript - complete with explanation of the disassembly for the said code. Such an example of vulnerable JavaScript is shown below, an excerpt of the paper on Spectre attacks:
source for quote on "React, etc. Tech Stack"
The "kjs" JavaScript software which is in "kdelibs-4.14.38" does not have any of the 'hardening' which was being advocated.

Last edited by baumei; 05-14-2020 at 11:01 AM.
 
1 members found this post helpful.
Old 05-19-2020, 12:53 PM   #37
baumei
Member
 
Registered: Feb 2019
Location: USA; North Carolina
Distribution: Slackware!
Posts: 155

Original Poster
Rep: Reputation: 55
After doing some looking on the Internet I found a website which offers to run a set of tests against the web-browser which is displaying their webpage (the test requires JavaScript):
Quote:
How secure is your browser? BrowserAudit checks that your web browser correctly implements a wide variety of security standards and features. [source for quote on BrowserAudit.com]
I ran the Audit on a guinea pig computer running Slackware 14.2 with no data on it and a new user, using the WebKit (HTML rendering engine) and the KJS (executes JavaScript; part of "kdelibs-4.14.38"). The results were:
Code:
    17 critical errors
    10 warnings
   350 tests passed
    27 tests skipped
  -----
   404 total
These 17 critical errors have to do with "same origin policy": 14 for improper XMLHttpRequest handling, and 3 for improper cookie handling.

These 10 warnings show up in: content security policy (connect-src), cross-origin resource sharing (Access-Control-Expose-Headers), and response headers (X-frame-Options and Strict-Transport-Security.

I do not know whether this Audit tests the web-browser for being resistant to the JavaScript speculative-execution attacks.

Last edited by baumei; 05-19-2020 at 11:30 PM.
 
1 members found this post helpful.
Old 05-20-2020, 11:00 PM   #38
baumei
Member
 
Registered: Feb 2019
Location: USA; North Carolina
Distribution: Slackware!
Posts: 155

Original Poster
Rep: Reputation: 55
While looking for information regarding JavaScript versus Meltdown and Spectre and cousins, I came across this webpage which I think is well written and useful: "meltdownattack.com/".
Among other things, this webpage provides hyperlinks to two interesting PDF files, Meltdown and Spectre.

Also interesting is this posting: Google Project Zero blog entry.

According to my understanding:
(1) KDE released "khtml" around 1998/1999 (HTML rendering engine).
(2) KDE released "kjs" in or around 2000 (JavaScript engine).
(3) In or around 2002 Apple forked kjs, calling it "JavaScriptCore" (part of "WebKit").
(4) In or around 2003 Apple forked khtml, calling it "WebCore" (part of "WebKit").
(5) In or around 2008 Google chose WebKit for their new "Chrome" web-browser.
(6) In 2013 Google forked WebCore, calling it "Blink", and began using this for Chrome.
It is said that many of the improvements which Apple developed for their WebKit fork, were backported (presumably into khtml and kjs).

For many years the WebKit was used by: Chrome, Safari, KDE Konqueror, and BlackBerry Browser. So, a mention of a vulnerability for any one of these, probably means all have it.

I came across mention of a webpage which offers to run a JavaScript program to attack/test one's computer: the Tencent Spectre vulnerability tester. From the description, it appears that at least these two things must be true for this program to say the computer being tested is vulnerable:
(A) The web-browser and its JavaScript engine must be willing and able to participate in the attack on the processor.
(B) The processor must be susceptible to the attack.

Last edited by baumei; 05-20-2020 at 11:02 PM.
 
1 members found this post helpful.
Old 05-21-2020, 01:07 AM   #39
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 6,962

Rep: Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643
I tested that website with konqueror (and Chrome) and neither are showing vulnerable on my system (but I'm running a fairly up-to-date 5.4 kernel on 14.2 on my AMD Ryzen 1800x -- I think this wasn't hit very hard compared to some Intel chips).
 
1 members found this post helpful.
Old 05-21-2020, 09:13 AM   #40
baumei
Member
 
Registered: Feb 2019
Location: USA; North Carolina
Distribution: Slackware!
Posts: 155

Original Poster
Rep: Reputation: 55
Hi "bassmadrigal",

According to my understanding, for the conditions in the three columns, the result given by the Tencent JavaScript will be:

Code:
(A) The processor being tested can be
    either: vulnerable to Spectre (V), or
    not vulnerable (NV).
(B) The browser being tested can be either:
    hardened against the JavaScript which
    would attack the processor (H), or not
    hardened (NH).
(C) There is a configuration or some
    software or another method for:
    blocking the JavaScript which would
    attack the processor (B), or
    no blocking (NB).

       (A)        (B)      (C)
    processor   browser   other   result
--|-----------|---------|-------|--------
1       V          H        B       NV
2       V          H       NB       NV
3       V         NH        B       NV
4       V         NH       NB        V
5      NV          H        B       NV
6      NV          H       NB       NV
7      NV         NH        B       NV
8      NV         NH       NB       NV
I read that because of Spectre, AMD released a microcode patch for the Ryzen processors.

From your message it appears likely you have applied the microcode patch, and/or have an effective method which will block the JavaScript test. So, it appears likely to me your test of Chrome is one of case #5 or #6 or #7 or #8, and your test of Konqueror is one of case #5 or #6 or #7 or #8.

As far as I can tell, to test the browser using the Tencent JavaScript test, one needs a system which otherwise fits case #2 or #4.

Last edited by baumei; 05-21-2020 at 10:13 AM.
 
Old 05-21-2020, 10:21 AM   #41
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 6,962

Rep: Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643
If I compare the tests between Chrome and konqueror, it seems like konqueror doesn't even try and do the javascript test, because it almost immediately says it's not vulnerable. Chrome takes a few seconds as it goes through various checks.

And I just checked the settings and found that konqueror was using the webkit engine. If I switch it to the khtml, the site doesn't even properly load. My guess is the javascript supported in konqueror isn't complete enough to be able to run the site properly, which in turn, likely prevents a user from being vulnerable to attack. Webkit supports a great deal more than khtml (and seems to be the default engine), but it still seems quite limited compared to other browsers.

And that doesn't surprise me one bit. I would occasionally try using konqueror and hated the browsing experience with it since it didn't support a lot of functionality from various sites.

However, I did check my computer using the spectre-meltdown-checker.sh script, and neither of my two Slackware systems are currently vulnerable, so I guess someone would need to check on a vulnerable system to verify...

But this seems to indicate how little of a problem this is. First, you need to have a system that's vulnerable. If you've been keeping your system up-to-date, it is likely Slackware patches have resolved the issues with having your CPU vulnerable. This right there will fix your vulnerability no matter what browser you use. However, I still believe that the javascript support on konqueror is limited enough that it doesn't support the code needed to be vulnerable.
 
Old 05-22-2020, 01:03 PM   #42
baumei
Member
 
Registered: Feb 2019
Location: USA; North Carolina
Distribution: Slackware!
Posts: 155

Original Poster
Rep: Reputation: 55
Hi "bassmadrigal",

Did you try out the BrowserAudit to see what it finds regarding the security of the various web-browers you may find interesting? (If you decide to run the audit against a web-browser, the audit requires JavaScript be functional.)
 
Old 05-22-2020, 01:18 PM   #43
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,437

Rep: Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095
Quote:
Originally Posted by baumei View Post
Does anyone know whether patches are still being created and released for KDE 4.14.3?
KDE 4.14.3 is part of Red Hat Enterprise Linux 7 and thus officially supported until June 2024. So in theory folks who want to keep a safe and clean KDE 4 on Slackware 14.2 could always use Red Hat's patches. On a side note, support for KDE on Red Hat has been officially discontinued since the 8.0 release.

Cheers,

Niki
 
1 members found this post helpful.
Old 05-25-2020, 12:05 AM   #44
baumei
Member
 
Registered: Feb 2019
Location: USA; North Carolina
Distribution: Slackware!
Posts: 155

Original Poster
Rep: Reputation: 55
Hi "kikinovak",

Thank you for the information about RHEL 7 having continued to use and update KDE-4. It took some looking, but eventually I found that Centos has the software repository for RHEL, and that their 7.x line has gotten up to 7.8 these days.

In Slackware 14.2 we have "kdelibs-4.14.38" dated 2019/Nov/8. In Centos 7.8 I see they have "kdelibs-4.14.8-12" dated 2020/Apr/3. I expanded the source-code of both, so that I could compare the various files.

Spectre brought to the foreground of the World some of the problems with JavaScript, so I looked at the "kjs" part of each 'package'. The "kjs" files from Centos are all dated 2015/May/7, and the "kjs" files from Slackware are all dated 2017/Nov/4. Comparing what is in a few .cpp files I think the Slackware set is more recent, and it is not that someone 'touched' them to a later date. I doubt that either version has been hardened against Spectre. :-(
 
Old 05-25-2020, 12:20 AM   #45
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 6,962

Rep: Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643
The reality is people shouldn't be using konqueror from KDE4 if they want a secure browsing experience (no clue if the one from Plasma5 is any better). I highly doubt the webengine for KDE4 or Plasma5 sees as much development as Blink (from Chromium) and Gecko (from Firefox).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Latest KDE Security Vulnerabilities Are Patched in Ubuntu and Debian, Update Now LXer Syndicated Linux News 0 08-20-2019 03:29 AM
LXer: GNOME and KDE team up on the Linux desktop, docs for Nvidia GPUs open up, a powerful new way to scan for firmware vulnerabilities, and LXer Syndicated Linux News 0 08-17-2019 02:00 PM
NetBSD vulnerabilities Sep 17, lotsa... unSpawn *BSD 5 10-15-2002 03:59 PM
SANS/FBI Releases the Twenty Most Critical Internet Security Vulnerabilities jeremy Linux - Security 4 10-07-2002 06:37 PM
More BIND vulnerabilities jeremy Linux - Security 0 01-31-2001 08:29 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 02:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration