Language Selection

English French German Italian Portuguese Spanish

Whoops: KDE fliccd Buffer Overflow Vulnerabilities

Filed under
KDE
Security

"Erik Sjölund has reported some vulnerabilities in KDE, which can be exploited by malicious, local users to gain escalated privileges and potentially by malicious people to compromise a vulnerable system."

"The vulnerabilities are caused due to boundary errors in fliccd and can be exploited to cause stack-based buffer overflows... in KDE 3.3 through 3.3.2."

Quoted.

No word from KDE on the subject as of yet.

More in Tux Machines

WordPress 5.8 Beta 2 and a Milestone for Kiwi TCMS

  • WordPress 5.8 Beta 2

    WordPress 5.8 Beta 2 is now available for testing! This software is still in development, so it’s not recommended to run this version on a production site. Consider setting up a test site to play with it.

  • Kiwi TCMS: Thank you for downloading Kiwi TCMS 500000 times

    We are happy to announce that Kiwi TCMS has been downloaded more than 500000 times via Docker Hub! You can check the real-time stats here.

Listen to LibrePlanet 2021, FSF Drops the Mic on Freenode

  • Listen to LibrePlanet 2021 audio in your podcast app

    LibrePlanet 2021 had a fantastic range of talented speakers, and we want to showcase their terrific talks in every way we can. So if you prefer listening to viewing, it's time to plan a long afternoon walk, fire up your favorite free podcasting app, and listen to LibrePlanet! The audio from this year's entertaining and educational talks is now available. We have uploaded the sessions in conjunction with an RSS feed you can import into your favorite podcasting app or RSS reader, enabling you to listen using a free podcast app like AntennaPod via Android, or gPodder, if you are on your desktop computer.

  • Update to the FSF and GNU's plan to move IRC channels to Libera.Chat

    Following our announcement of a planned gradual switch from the Freenode IRC network to Libera.Chat, Freenode staff, with no notice, seized control of the #fsf and #gnu channels away from FSF staff and GNU volunteers during the early hours of Sunday morning (EDT). This happened despite members of Freenode staff participating in the community meeting, as well as reassuring us publicly and privately that they would respect and support the resulting review and our decision. These channels were seized without informing the FSF or GNU representatives of any disagreements Freenode staff had with our plan, whether by means of the group contact system or otherwise. Adding to the situation's instability was their switch to a new IRC daemon late last night, also without notice, which dropped all existing nicks and channels from the database. This has forced us to adjust our plans for the transition, a move that was already necessary due to an abrupt change in Freenode policy that occurred shortly after our announcement, which eliminated the distinction between # and ## channels that we planned to use to pass ownership of the #fsf and #gnu channels over to the wider free software community.

  • GStreamer: IRC Channel has moved from Freenode to OFTC

    Due to the widely reported issues at the Freenode IRC network, the official GStreamer discussion IRC channel has moved to #gstreamer on the OFTC IRC network alongside other Freedesktop projects.

  • Developer chat moving

    For years, most development discussion for Krita has happened on the #krita channel on the Freenode IRC network. IRC is a venerable chat system (that’s to say, it’s old and quirky) but it works very well for us because it’s free and open source software and because it treats chat as chat: it doesn’t keep logs for you if you’re not in the channel, there are many clients and interaction is simple and limited to just text. However, the freenode IRC network is no longer a good host for our development work. The people currently managing the network are doing very strange things, and the people who used to manage the network have created a new network, libera.chat.

  • Freenode Is IRC; As In "Dumbest Takeover In History"

    Just today morning, freenode pulled the trigger on their servers and removed all channels, all users, all settings… Everything. And they say that they have restarted the network and will move to a new “fork”: [Global Notice 1/3] We are moving past legacy freenode to a new fork. The new freenode is launched. You will slowly be disconnected and when you reconnect, you will be on the new freenode. We patiently await to welcome you in freedom’s holdout – the freenode. [Global Notice 2/3] If you’re looking to connect now, you can already /server chat.freenode.net 6697 (ssl) or 6667 (plaintext). It’s a new genesis for a new era. Thank you for using freenode, and Hello World, from the future. freenode is IRC. freenode is FOSS. freenode is freedom. [Global Notice 3/3] When you connect, register your nickname and your channel and get started. It’s a new world. We’re so happy to welcome you and the millions of others. We will be posting more information in the coming days on our website and twitter. Otherwise, see you on the other side! freenode, which was the largest active IRC network, was taken over by Andrew Lee; The Korean crown prince. Former staff and volunteers say that there was absolutely no way this selling process could be legal, but due to his wealth and powerful relations, the Korean prince could not be stopped. Until today, by his own stupidity. The madman paid a large sum of money to buy the network – which is not yet disclosed – and then, started taking channels from their owners whenever they mentioned LiberaChat; an alternative to the freenode IRC network. One channel after another… Almost all FOSS community migrated away in a matter of few days when the controversy started. netsplit.de showed that 30-40K users migrated to the new network in less than a week.

Programming Leftovers

  • The curious world of check digits

    In many standardised numerical codes, one or more digits are special. They're called check digits and they can be used to check that the code hasn't changed due to human or computer error. For example, my Australian Business Number, or ABN, is 42 021 773 747. The last nine digits are my unique identifier and the first two digits are for checking.

  • Tau Station considered Dangerous: Game Review

    I thought I’d try out Tau Station for a couple of days and get a quick blog post out of it. That was three months and 11 levels ago. It took 2 months to wind down my obsessive nature and if not for Tau, I could have pushed a couple of new module versions to CPAN by now. That’s rather the reason that I don’t play games in the first place, so I can’t give great comparisons.

  • Live streaming the release of Perl 5.35.1

    In my talk at The Perl and Raku Conference in the Cloud 2021, I already announced it. I'm doing the release of the Perl developer version 5.35.1, and you can watch it live Sunday, 20th June on Twitch.

  • Daniel Stenberg: What goes into curl?

    curl is a command line tool and library for doing Internet data transfers. It has been around for a loooong time (over 23 years) but there is still a flood of new things being added to it and development being made, to take it further and to keep it relevant today and in the future. I’m the lead developer and head maintainer of the curl project. How do we decide what goes into curl? And perhaps more importantly, what does not get accepted into curl? Let’s look how this works in the curl factory.

  • Announcing Aya

    Aya was built with a focus on developer experience and operability. It does not require a C toolchain to build and doesn't even require kernel headers. Compiling the crate in release mode takes only a few seconds.

  • Aya: writing BPF in Rust

    The first release of the Aya BPF library has been announced; this project allows the writing of BPF programs in the Rust language. "Over the last year I've talked with many folks interested in using eBPF in the Rust community. My goal is to get as many of you involved in the project as possible! Now that the rustc target has been merged, it's time to build a solid foundation so that we can enable developers to write great eBPF enabled apps".

  • Testing cameras with lc-compliance on KernelCI

    Earlier this month, the very first KernelCI sprint or "hackfest" was held virtually, with more than a dozen engineers & developers from different communities in attendance. Initiated as a joint effort by the Google Chrome OS team and Collabora, the sprint's main objective was to extend KernelCI's coverage, including adding new tests such as the ability to detect regressions on the Linux kernel that can directly affect cameras. With Linux powering so many things and in so many different settings, there's great interest in making sure that it runs well in as many of them. KernelCI fills this purpose with an ever-increasing amount of tests and environments. The media subsystem is of course no exception, and it's just been joined by a new test suite.

  • C++ Coroutines, or "why are the templates failing aaaaaAAAAAAA"

    Qt's networking code has always been one of its more obtuse parts, requiring using signals for something that didn't quite seem right for them. A linear flow of code would become a jumbled mess of member functions and signal connections. When developing Challah's netcode, I quickly realised this wasn't going to suffice for the large amount of it I was going to be writing. Thus begins my journey through signal hell, arriving at many bumps before I discovered that integrating Qt's networking stuff with coroutines is possible.

  • Please welcome Boxy, Léo Lanteri Thauvin and the8472 to compiler-contributors

    Please welcome Boxy, Léo Lanteri Thauvin and the8472 to the compiler-contributors group! Boxy has been working on pushing const generics forward by implementing parts of the const_evaluatable_checked feature, fixing bugs and making rustdoc work with const generics. Boxy is also a frequent contributor to #project-const-generics discussions and meetings. Léo Lanteri Thauvin has been a consistent contributor of refactorings and improvements to rustc. Recently, Léo has been implementing a Major Change Proposal to migrate the unsafe checker to operate on THIR instead of MIR.

  • 1.53.0 pre-release testing | Inside Rust Blog

    The 1.53.0 pre-release is ready for testing. The release is scheduled for this Thursday, June 17th. Release notes can be found here.

Security and Privacy Leftovers

  • Security updates for Tuesday

    Security updates have been issued by CentOS (389-ds-base, dhcp, firefox, glib2, hivex, kernel, postgresql, qemu-kvm, qt5-qtimageformats, samba, and xorg-x11-server), Fedora (kernel and kernel-tools), Oracle (kernel and postgresql), Red Hat (dhcp and gupnp), Scientific Linux (gupnp and postgresql), SUSE (postgresql10 and xterm), and Ubuntu (imagemagick).

  • CloudLinux releases UChecker security tool for Linux servers | ZDNet

    Linux is more secure than Windows. We all know that. But that doesn't mean it has perfect security. Nothing does. CloudLinux is helping to improve Linux's operational security with the release of UChecker. The company is best-known for its Red Hat Enterprise Linux (RHEL)/CentOS server clone, CloudLinux, and its CentOS fork.

  • Privacy Redirect To A More Friendly Alternative

    Services like Nitter, Bibliogram, Open Street Maps and the countless private search engines are great but if you interact with normal people you will always end up on the original site as someone will send you a link, how about we fix that by just redirecting to where we want to go.

  • Apple's Subpoenas Show They Own You

    Most journalists seem to miss the larger civil liberties point when Big Tech companies get subpoenas for people’s digital archives. With the most recent example being where the Justice Department subpoenaed Apple while being gagged from disclosing such a subpoena, it is time to remind nearly everybody: You don’t own your digital life, Big Tech does. If you did own your digital files You would get the warrant not a tech giant. “Who gets the warrant?” is as defining of the evidence of ownership as “Follow the money” is to evidence of corruption. [...] Obviously at Purism we are investing heavily and working tirelessly daily to create products that are ever more convenient, with the end-goal of having a just alternative for society to avoid the freedom crushing status quo of products from Big Tech. We are a Social Purpose Corporation, whose reason for being—enshrined in our articles of incorporation— is to build products that respect the users right to freedom and civil liberties fully. This is why Purism will not get a warrant for your phone nor phone data—we don’t have it—because everything you buy from us you own fully. And every dollar of purchasing with Purism advances a future where your civil liberties will be respected in the digital world as well as the physical world. Think about Funding an App, or buying Purism products, to put your money toward a future you want to live in.

  • Western Australia rushes out legislation after cops access contact-tracing data to investigate serious crimes

    Police accessed COVID tracking QR check-in data to investigate a murder, causing the state of Western Australia (WA) to introduce urgent legislation in Parliament today. The app collecting the data, SafeWA, is free, mandatory, and has been used over 245 million times for people to register their presence at relevant venues in WA. The description for the app says the data is encrypted and stored for 28 days.