Fading Memories

Of people issuing "security" patches. Last week a couple of Linux distributions were suckered into updating lcms with a patch coming from a certain Andrea Barsiani. Because of an alleged security risk... Well, this patch completely and utterly broke lcms. And right at the time when we were tagging KOffice RC1, so people who run up-to-date distros started reporting crashes in Krita. We nearly got a heart attack thinking it was our code...

To quote Marti Maria, the lcms maintainer:

The short history is, a guy called Adrea Barisani, claiming to represent some obscure security company called oCERT, was providing a patch to fix a "vulnerability" they found.

At the end, the oCERT company was just Andrea Barsiani who setup ocert in 2008 to get google sponsoring.

The whole internet is now filled with hype about this "vulnerability", and in truth this "patch" breaks littlecms functionality, and probably opens some back door, so, please:

DON'T USE PATCHES FROM UNTRUSTED SOURCES.

I guess you were told something similar in school right? :-)

The problem, if any, is restricted to a very specific architecture (x86, no DEP, crafted profile).

With this patch lcms does not work at all. Please upgrade to 1.18 and let's forgot all this nasty stuff.

So, if you're packaging lcms for your distro, please upgrade to 1.18. And, please, if you patch lcms, make sure it's an official patch, from a trusted source. Like, Marti Maria...

Update: Kubuntu has a fix, and Marc Deslauriers has identified the possible culprit from the security patch. This patch was also in on 1.18b1, but removed in 1.18b2.

This week, at work, we released the 1.0 stable version of the Hyves Desktop, with source available (for almost everything but the photo uploader and editor plugin, more's the pity), and also the iPhone app, a java phone app and a firefox toolbar. It's nice to work for a company that actually ships!

KOffice 2.0 RC1 got tagged. There's a nasty file handling bug in Krita that we haven't been able to pin down, so we might need another RC, though. Or it might be an lcms issue. But getting here has been an enormous relief. KOffice 2.0 won't replace KOffice 1.6 or OpenOffice as a stable workhorse, but it is a release that really allows us to build on.

Update: : yes, it is an lcms issue -- 1.17 got a security patch last week which broke Krita. 1.18 is fine.

And then there's KDE 4.2.2 -- I'm using it with Qt 4.5, and it's pretty stable, except for some KRunner quirkiness, where urls get autocompleted but without hits, so pressing enter does nothing and I have to press end, then enter, and sometimes nothing gets executed although there are hits, especially with urls that are in the history.