Some of our projects release on their own timescale and some get released
en-masse. The 20.08.3 bundle of projects was released today with dozens of
bugfixes and will be available through app stores and distros soon. See the
20.08.3 releases page for details.
Some of the fixes in today’s releases:
* Gwenview no longer accidentally shows the thumbnail view as a separate window with newer Qt versions
* Sending SMS with KDEConnect has been restored
* Fixed a possible Okular crash when selecting text in annotations
Announcement:
https://kde.org/announcements/releases/2020-11-apps-update/
Changelog:
https://kde.org/announcements/fulllog_releases-20.08.3/
Dozens of KDE apps are getting new releases from KDE’s release service. New
features, usability improvements, re-designs and bug fixes all contribute to
helping boost your productivity and making this new batch of applications more
efficient and pleasant to use.
KDE Project Security Advisory
=============================
Title: Ark: maliciously crafted TAR archive with symlinks can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-24654
Versions: ark <= 20.08.0
Author: Elvis Angelaccio <elvis.angelaccio@kde.org>
Date: 27 August 2020
Overview
========
A maliciously crafted TAR archive containing symlink entries
would install files anywhere in the user's home directory upon extraction.
Proof of concept
================
For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/dirsymlink.tar
Impact
======
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart.
Workaround
==========
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain symlink entries pointing outside the extraction folder.
The 'Extract' context menu from the Dolphin file manager shouldn't be used.
Solution
========
Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.
Alternatively, 8bf8c5ef07 can be applied to previous
releases.
Credits
=======
Thanks to Fabian Vogt for reporting this issue and for fixing it.
MFH: 2020Q3
Security: CVE-2020-24654
Dozens of KDE apps are getting new releases from KDE’s release service. New
features, usability improvements, re-designs and bug fixes all contribute to
helping boost your productivity and making this new batch of applications more
efficient and pleasant to use.
Full announcement:
https://kde.org/announcements/releases/2020-08-apps-update/
KDE Project Security Advisory
=============================
Title: Ark: maliciously crafted archive can install files outside the extraction directory.
Risk Rating: Important
CVE: CVE-2020-16116
Versions: ark <= 20.04.3
Author: Elvis Angelaccio <elvis.angelaccio@kde.org>
Date: 30 July 2020
Overview
========
A maliciously crafted archive with "../" in the file paths
would install files anywhere in the user's home directory upon extraction.
Proof of concept
================
For testing, an example of malicious archive can be found at
https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip
Impact
======
Users can unwillingly install files like a modified .bashrc, or a malicious
script placed in ~/.config/autostart
Workaround
==========
Users should not use the 'Extract' context menu from the Dolphin file manager.
Before extracting a downloaded archive using the Ark GUI, users should inspect it
to make sure it doesn't contain entries with "../" in the file path.
Solution
========
Ark 20.08.0 prevents loading of malicious archives and shows a warning message
to the users.
Alternatively,
0df592524f
can be applied to previous releases.
Credits
=======
Thanks to Dominik Penner for finding and reporting this issue and thanks to
Elvis Angelaccio and Albert Astals Cid for fixing it.
From the changelog [1]:
Some of the fixes included in this release are:
* kio-fish: Only store password in KWallet if the user asked for it.
* The Umbrello Fixes for adding multiline c++ comment support.
* The scrolling behavior in the Okular document viewer has been
improved and is more usable with free-spinning mouse wheels
* A regression that sometimes caused the JuK music player to
crash on start has been fixed
* The Kdenlive video editor has received many stability updates,
including a fix to the DVD chapter creation and a fix that
improves the handling of timecodes, improved handling of missing
clips, draw “photo” frame on image clips to differentiate from
video clips., and previews in the timeline
* KMail now correctly handles existing maildir folders when adding
a new maildir profile and no longer crashes when adding too many
recipients
* Import and export of Kontact settings has been enhanced to include
more data
[1] https://kde.org/announcements/changelog-releases.php?version=20.04.1
KDE's April 2020 Apps Update
A new bundle of KDE applications is here! In these releases, you can expect to
find more features, stability improvements, and more user-friendly tools that
will help you work more effectively.
There are dozens of changes to look forward to in most of your favorite
applications. Take Dolphin, for example. Windows Samba shares are now fully
discoverable.
On the topic of playing music: the Elisa music player is adding features by
leaps and bounds. This release brings a new “Now Playing” view, easy
accessibility through the system tray, and an option to minimize the playlist
whenever you want. Thanks to the recently-added visual shuffle mode, it’s much
easier to rearrange your music in the playlists.
These are just the highlights of what’s new in KDE’s applications this month.
Read on to find out about everything we’ve prepared for you.
Announcement:
https://kde.org/announcements/releases/2020-04-apps-update/
New versions of KDE applications landing in December
The release of new versions for KDE applications is part of KDE’s continued
effort to bring you a complete and up-to-date catalog of fully-featured,
beautiful and useful programs for your system.
Available now are new versions of KDE’s file browser Dolphin; Kdenlive, one of
the most complete open source video editors; the document viewer Okular; KDE’s
image viewer, Gwenview; and all of your other favorite KDE apps and utilities.
All of these applications have been improved, making them faster and more
stable and they boast exciting new features. The new versions of KDE
applications let you be productive and creative, while at the same time making
use of KDE software easy and fun.
We hope you enjoy all the novel features and improvements worked into all of
KDE’s apps!
Announcement: https://kde.org/announcements/releases/2019-12-apps-update/
November 07, 2019.
Today KDE released the third stability update for KDE Applications 19.08. This
release contains only bugfixes and translation updates, providing a safe and
pleasant update for everyone.
More than a dozen recorded bugfixes include improvements to Kontact, Ark,
Cantor, K3b, Kdenlive, Konsole, Okular, Spectacle, Umbrello, among others.
Improvements include:
* In the video-editor Kdenlive, compositions no longer disappear when
reopening a project with locked tracks
* Okular's annotation view now shows creation times in local time zone
instead of UTC
* Keyboard control has been improved in the Spectacle screenshot utility
You can find the full list of changes here:
https://kde.org/announcements/fulllog_applications-aether.php?version=19.08.3
September 05, 2019.
Today KDE released the first stability update for KDE Applications 19.08. This
release contains only bugfixes and translation updates, providing a safe and
pleasant update for everyone.
More than twenty recorded bugfixes include improvements to Kontact, Dolphin,
Kdenlive, Konsole, Step, among others.
Improvements include:
* Several regressions in Konsole's tab handling have been fixed
* Dolphin again starts correctly when in split-view mode
* Deleting a soft body in the Step physics simulator no longer causes a crash
You can find the full list of changes here:
https://kde.org/announcements/fulllog_applications-aether.php?version=19.08.1
Release notes at
https://kde.org/announcements/kde-frameworks-5.61.0.php
Thanks to
antoine@ for the exp-runs,
tcberner@ for most of the prep-work,
the Gentoo community for cherry-picking patches
There are a bunch of changes in (implicitly included) headers, which
broke existing KDE Applications builds; that's why there are a whole
bunch of "patch-gentoo-kf5-5.61-headers" patches (taken from Gentoo
packaging). Those will go away with the next KDE Applications release,
PR: 239777
Submitted by: tcberner
as defined in Mk/bsd.default-versions.mk which has moved from GCC 8.3
to GCC 9.1 under most circumstances now after revision 507371.
This includes ports
- with USE_GCC=yes or USE_GCC=any,
- with USES=fortran,
- using Mk/bsd.octave.mk which in turn features USES=fortran, and
- with USES=compiler specifying openmp, nestedfct, c11, c++0x, c++11-lang,
c++11-lib, c++14-lang, c++17-lang, or gcc-c++11-lib
plus, everything INDEX-11 shows with a dependency on lang/gcc9 now.
PR: 238330
July 11, 2019.
Today KDE released the third stability update for KDE Applications 19.04. This
release contains only bugfixes and translation updates, providing a safe and
pleasant update for everyone.
Over sixty recorded bugfixes include improvements to Kontact, Ark, Cantor, JuK,
K3b, Kdenlive, KTouch, Okular, Umbrello, among others.
Improvements include:
* Konqueror and Kontact no longer crash on exit with QtWebEngine 5.13
* Cutting groups with compositions no longer crashes the Kdenlive video editor
* The Python importer in Umbrello UML designer now handles parameters with default arguments
Changelog:
https://kde.org/announcements/fulllog_applications-aether.php?version=19.04.3
This makes it possible to build on non-x86 with default options. Support
for rar archives is via external executables, so there is no change in the
port's compiled artifacts.
Thanks linimon@ for the functional part of the change. While here,
polish up descriptions and links and bits and bobs.
PR: 236240
Submitted by: linimon
As the patch says, when ZSTD support is present creating a regular .tar archive
will end up creating a zstd file instead. In my tests, this prevented
adding/remove entries from the archive at all.
MFH: 2019Q1
Starting with version 18.12.0, Ark has included a custom kerfuffle.xml mime
type to support zstd-compressed files (the mimetype was only added to
shared-mime-info starting with version 1.11, which we don't ship yet). We need
to make sure update-mime-database is run, otherwise Ark will still fail to
recognize those archives.
a symbol matches multiple clauses the last one takes precedence. If the
catch-all is last it captures everything. In the case of Qt5 libraries
this caused all symbols to have a Qt_5 label while some should have
Qt_5_PRIVATE_API. This only affects lld because GNU ld always gives the
catch-all lowest priority.
Older versions of Qt5Webengine exported some memory allocation symbols from
the bundled Chromium. Version 5.9 stopped exporting these [1] but the
symbols were kept as weak wrappers for the standard allocation functions to
maintain binary compatibility. [2][3] The problem is that the call to the
standard function in these weak wrappers is only resolved to the standard
function if there's a call to this standard function in other parts of
Qt5Webengine, because only then is there a non-weak symbol that takes
precedence over the weak one. If there's no such non-weak symbol the call
in the weak wrapper resolves to the weak wrapper itself creating an infinite
call loop that overflows the stack and causes a crash. Some of the
allocation functions are variants of C++ new and delete and it probably
depends on the compiler whether these variants are used in other parts of
Qt5Webengine.
Remove the weak wrappers (make them Linux specific). This isn't binary
compatible but we are already breaking that with the changes to the symbol
versions.
[1] 5c2cbfccf9
[2] 2ed5054e3a
[3] 009f5ebb4b
Bump all ports that depend on Qt5.
PR: 234070
Exp-run by: antoine
Approved by: kde (adridg)
Release Announcement:
https://www.kde.org/announcements/announce-applications-18.12.1.php
Today KDE released the first stability update for KDE Applications 18.12.
This release contains only bugfixes and translation updates, providing a
safe and pleasant update for everyone.
About 20 recorded bugfixes include improvements to Kontact, Cantor, Dolphin,
JuK, Kdenlive, Konsole, Okular, among others.
Improvements include:
* Akregator now works with WebEngine from Qt 5.11 or newer
* Sorting columns in the JuK music player has been fixed
* Konsole renders box-drawing characters correctly again
You can find the full list of changes here:
https://www.kde.org/announcements/fulllog_applications-aether.php?version=18.12.1
Ports that build out of source now simply can use "USES=cmake"
instead of "USES=cmake:outsource". Ports that fail to build
out of source now need to specify "USES=cmake:insource".
I tried to only set insource where explictely needed.
PR: 232038
Exp-run by: antoine
defined via Mk/bsd.default-versions.mk which has moved from GCC 7.4 t
GCC 8.2 under most circumstances.
This includes ports
- with USE_GCC=yes or USE_GCC=any,
- with USES=fortran,
- using Mk/bsd.octave.mk which in turn features USES=fortran, and
- with USES=compiler specifying openmp, nestedfct, c11, c++0x, c++11-lang,
c++11-lib, c++14-lang, c++17-lang, or gcc-c++11-lib
plus, as a double check, everything INDEX-11 showed depending on lang/gcc7.
PR: 231590
From now on, ports that depend on Qt4 will have to set
USES= qt:4
USE_QT= foo bar
ports depending on Qt5 will use
USES= qt:5
USE_QT= foo bar
PR: 229225
Exp-run by: antoine
Reviewed by: mat
Approved by: portmgr (antoine)
Differential Revision: →https://reviews.freebsd.org/D15540
