Real, KDE Patch Security Flaws | eWeek

Real, KDE Patch Security Flaws

Verfasst von
Matthew Broersma
Matthew Broersma
Oct 27, 2004
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

RealNetworks Inc. and KDE eV on Tuesday both released patches for their desktop software, fixing serious security holes that could allow an attacker to take over a users system.

The update to KOffice, the productivity suite that is part of the K Desktop Environment, patched flaws in a library called xpdf, which handles PDF files. The integer overflow bugs allow an attacker to craft a document using Adobes PDF that executes malicious code when viewed by an application relying on xpdf.

In the case of KOffice, users could have been attacked via KWords PDF import filter. Version 1.3.4, available from KDE, fixes the bug, project maintainers said.

Because the bugs also affect applications that use xpdf, such as the CUPS printing system, they have prompted a flood of updates from major Linux vendors since Friday. Red Hat Inc., Novell Inc.s SuSE Linux division, MandrakeSoft SA, the KDE project, Debian, Gentoo Technologies Inc. and others have issued updates for CUPS, xpdf, kdegraphics and related components.

/zimages/5/28571.gifClick hereto read eWEEK Labs review of KDE 3.3.

The xpdf flaw is just one of the serious security flaws Linux vendors have patched in the past few days. The libtiff and libpng graphics libraries, used by many graphics applications, and the Gaim instant-messaging client were all found to contain bugs that could allow remote system compromise. Patches are available from Linux vendors and from the Gaim project..

Meanwhile, RealNetworks said several versions of its RealPlayer and RealOne Player for Windows—some of the most widely used desktop applications—contain a flaw that could attack users via a specially-crafted “skin” file.

Skins are used to customize the appearance of a player, and have become a well-known vector for launching attacks. In this case, a third-party compression library, DUNZIP32.dll, contains a boundary error that can be triggered during the processing of skin files, according to RealNetworks. An attacker could cause a buffer overflow, allowing the execution of malicious code, the company said in an advisory.

RealOne Player versions 1 and 2 are affected, as are versions 10 to 10.5 (6.0.12.1053) of RealPlayer; a more recent version of RealPlayer, 10.5 (6.0.12.1056), is not affected. Linux and Mac OS X versions arent affected. Patches are available for the more recent affected applications, but users of older products must download a full upgrade to fix the bug.

Earlier this month RealNetworks patched a bug in its Windows players that could have allowed a Web site to execute code on a users PC. That vulnerability, like the latest skin file flaw, was reported to RealNetworks by eEye Digital Security Inc.

/zimages/5/28571.gifCheck out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

/zimages/5/77042.gif

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.