[Kde-pim] Fwd: Re: KDE 4.4.98 (4.4 RC3)

Eike Hein hein at kde.org
Sun Feb 7 02:36:48 GMT 2010

On 2/7/2010 2:08 AM, Thiago Macieira wrote:
> This is not about KNotify.

No, but KNotify is where we're seeing lots of crashes due to
it, and not just in Konversation. The underlying problem is
likely to rear its head in other circumstances as well, but
KNotify is particularly easy to exploit, so a workaround
could be a good idea. I assume that's why you opined on IRC
earlier that it should be a release blocker.

> Those shouldn't happen in applications normally, but Konversation will happily
> accept input from the network without verifying it.

I'd say considering that the author of QtDbus wasn't aware
of this D-Bus behavior, many other application authors will
be unlikely to be aware of it as well.

Furthermore, when calling into KNotification the fact that
it ends up using D-Bus and ends up crashing is an implemen-
tation detail the caller shouldn't need to be aware of: The
KNotification documentation doesn't say you can't pass it
these Unicode characters without crashing your application
as a consequence. Unrelated to what Konversation should do
(and we will indeed add a filter as well, since we have to
deal with KDE 4.3 being vulnerable as well) KNotification
should verify its input here given the consequences.

Best regards,
Eike Hein

More information about the kde-core-devel mailing list