KDE 2.2.2 Info Page

KDE 2.2.2 was released on November 21, 2001. Read the official announcement.

For a list of changes since KDE 2.2.1, see the list of changes

For a high-level overview of the features of KDE, see the KDE info page

For a graphical tutorial on using KDE 2, see this tutorial page from Linux Mandrake

This page will be updated to reflect changes in the status of 2.2.2 so check back for new information.

FAQ

See the KDE FAQ for any specific questions you may have. Questions about Konqueror should be directed to the Konqueror FAQ and sound related questions are answered in the Arts FAQ

Download and Installation

See the links listed in the announcement. The KDE Installation FAQ provides generic instruction about installation issues.

If you want to compile from sources we offer instructions and help for common problems in the Compilation FAQ.

Updates

Please refer to KDE 3.0, the next stable release.

Security Issues

  • Konqueror fails to correctly initialize the site domains for sub-(i)frames and may as a result allow access to forein cookies.

    It is strongly recommended to upgrade at least kdelibs to KDE 3.0.3a in which this bug is fixed.

    A patch is also available for download to address this particular problem.

  • KDE's SSL implementation fails to check the basic constraints on certificates and as a result may accept certificates as valid that were signed by an issuer who was not authorized to do so.

    Due to this, users of Konqueror and other SSL enabled KDE software may fall victim to a malicious man-in-the-middle attack without noticing. In such case the user will be under the impression that there is a secure connection with a trusted site while in fact a different site has been connected to.

    We recommend users to upgrade to at least KDE 3.0.3 but a patch for KDE 2.2.2 is also available.

  • A Denial of Service vulnerability has been found in the aRts soundserver. All versions of KDE 2.2.x and KDE 3.0.x are affected. If you allow untrusted users to login, it is recommended to remove the sUID bit of the artswrapper application. To achieve this, please run the following command in the directory artswrapper is installed in:
      chmod u-s artswrapper

  • Several buffer overflows have been found in code KGhostview shared from other postscript viewers. Read the detailed advisory. Update to KDE 3.0.4 is recommended.

    A patch is also available for download to address this particular problem.

  • Several vulnerabilites have been found in LISa/resLISa and the rlan:// protocol, including the possibility to escalate the privileges to root via a remote attack. See the detailed advisory for an explanation and instructions for immediate workaround. There is no patch available, other than the recommended workarounds you're encouraged to upgrade to a KDE 3.x release. The use of LISa/resLISa is strongly discouraged in any security relevant area. Never make it available outside your local, trusted network.
  • the rlogin and the telnet protocol implementation in KIO allows remote command execution. See the detailed advisory for an explanation and instructions for immediate workaround. There is no patch available, other than the recommended workarounds you're encouraged to upgrade to a KDE 3.x release.

  • Several shell escaping vulnerabilities have been found throughout KDE which allow a remote attacker to execute commands as the local user. Read the detailed advisory. It is strongly recommended to update to KDE 3.0.5a.

    Several patches that address these issues have been made available for those who are unable to update to KDE 3.x.

  • Several problems with KDE's use of Ghostscript where discovered that allow the execution of arbitrary commands contained in PostScript (PS) or PDF files with the privileges of the victim. Read the detailed advisory. It is strongly recommended to update to KDE 3.1.1a

    Several patches that address these issues have been made available for those who are unable to update to KDE 3.x.

  • KDE's SSL implementation in KDE 2.x matches certificates based on IP number instead of hostname. Due to this, users of Konqueror and other SSL enabled KDE software may fall victim to a malicious man-in-the-middle attack without noticing. In such case the user will be under the impression that there is a secure connection with a trusted site while in fact a different site has been connected to. Read the detailed advisory.

    We recommend users to upgrade to the KDE 3.x series but patches for KDE 2.2.2 [1, 2] are also available.

  • A HTTP authentication credentials leak via the a "Referrer" was discovered by George Staikos in Konqueror. If the HTTP authentication credentials were part of the URL they would be possibly sent in the referer header to a 3rd party web site. Read the detailed advisory. KDE 3.1.3 and newer are not vulnerable. We recommend users to upgrade to the KDE 3.x series but patches for KDE 2.2.2 [patch] are also available.

Bugs

No major bugs are known.

Please check the bug database before filing any bug reports. Also check for possible updates that might fix your problem.

Developer Info

If you need help porting your application to KDE 2.x see the porting guide or discuss your problems with fellow developers on the kde2-porting@kde.org mailing list.

There is also info on the architecture and the programming interface of KDE 2.2.2.