LWN.net Weekly Edition for December 2, 2004 [LWN.net]

A look at Xfce 4.2

December 1, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

As a rule, the Linux desktop discussion is dominated by the two heavyweight desktop environments -- KDE and GNOME. The term "heavyweight" applies to the respective "market share" of those desktops as well as the resources required to run either desktop. Linux users who wish to utilize a slightly slimmer desktop environment, without compromising features, may find the Xfce desktop environment an attractive alternative. With the release of the Xfce 4.2 release candidate, we decided to take a look at Xfce and provide a rundown of some of its more interesting features.

As the Xfce website states, Xfce is "a lightweight desktop environment for unix-like operating systems." Xfce started out as a Common Desktop Environment (CDE) clone, but has evolved into a unique desktop environment that's much more interesting (at least to this writer) than CDE.

The site os-cillation has GUI installers for Xfce 4.2RC1. To the best of this writer's knowledge, Xfce is the first desktop with its own GUI installer. There are four installers available; The base Xfce installer, the Gtk+ engine for Xfce installer, the Xfce Goodies installer and an installer for the Terminal term emulator from os-cillation. We chose to go the "kitchen sink" route, and installed everything available. However, only the base package should be required to use Xfce.

Installing Xfce with the GUI installers is a breeze, at least as long as the target system has all of the requisite software that Xfce requires to build. We built Xfce on two systems, a SUSE 9.2 system and a Ubuntu Linux system. The SUSE build went off without a hitch after installing the packages mentioned on the installer page.

The Ubuntu build failed a few times due to missing dependencies. This was easily fixed, though it was a minor annoyance having to apt-get the required libraries and re-start the install only to have it fail a few minutes later at a different point. At start time, the GUI installer identifies a few major components that are required to proceed, but doesn't display a comprehensive list of dependencies.

After the installation, it was time to exit the session in progress and log into Xfce. The first thing one will notice about Xfce is that it's much faster to load than KDE or GNOME. For users with systems with processors faster than 2 GHz and an abundance of RAM, this won't be a huge incentive to use Xfce. However, Xfce is a bit snappier than GNOME or KDE, and a great choice for older systems with less horsepower.

Many Linux users have probably run across GNOME and KDE applications that are written in such a way that they require services from their native desktop environments to function. For users that depend on applications that require GNOME or KDE services, Xfce can be configured to run GNOME or KDE services when it starts. This will slow down Xfce start time, but it's a handy feature for anyone who needs specific applications that won't otherwise cooperate with Xfce. Xfce's session settings, by default, do not allow Xfce to manage remote X applications.

The Xfce panel is highly configurable. By default, it includes launchers for the Xfce help system, Xfce configuration settings, Mozilla browser, Mozilla mail, XMMS, the Xfce "fast file manager" (Xffm), a graphical pager, terminal launcher and buttons to log out or lock your X session. Users can add launchers, remove launchers, change the orientation of the panel from horizontal to vertical and so on. The pager also allows the user to move windows from one desktop to another simply by dragging the window's outline in the pager to a different desktop. The Xfce Goodies package includes several useful plugins for the panel, including CPU and network monitors, a "show desktop" plugin and several others.

Xfce's file manager, Xffm is interesting, with quite a few handy features. Xffm includes a SMB network browser, a "Book" tree to allow users to bookmark frequently-visited directories, an fstab browser and a fairly useful find utility (Xfglob4). The Xffm components can also be invoked by themselves, so a user can call just the SMB browser by running xfsamba4 or browse only the bookmarked directories files with xfbook4. Xffm also makes it easy to rename files, create symlinks and even "scramble" files. The Xffm interface seems a bit clunky, but this writer doesn't often use file managers anyway.

Xfce is modular, meaning that the user can choose to drop components from the desktop if they are unwanted. Don't want to run the Xfce panel? No problem. Want to skip the GTK Theme Engine? That's an option as well. Users may also run various Xfce components under other window managers / desktop environments, if they prefer.

Does the world need yet another terminal emulator? This writer prefers to just use the venerable xterm, but others want a little more from their terminal emulator. The version of Terminal available from os-cillation for Xfce is only at version 0.1.10, but it seems stable enough for everyday use. Terminal has a few features not available in xterm, such as tabs for multiple terminal instances and transparency or a user-defined background image. Xfce also includes an xterm-like terminal called xfterm4, which is the default Xfce terminal.

Some of Xfce's features are not immediately visible. For example, Xfce supports Freedesktop.org Window Manager hints, XDND (drag and drop protocol) and several others. Xfce can also be configured in "kiosk mode" where Xfce can be locked down to prevent users making changes to the configuration of Xfce.

Another feature that this writer is particularly fond of is the ability to switch desktops by using the mouse scrollwheel. Simply hover the mouse over an "empty" space on the desktop and scroll. This feature is available in KDE as well, but it seems to have appeared in Xfce first.

In short, Xfce 4.2 seems to be ready for prime time. We used the release candidate for several days with no problems to speak of. It's an excellent desktop environment for users who want a clean, fast and attractive desktop.

Comments (30 posted)

The Grumpy Editor's Guide to PDF Viewers

This article is part of the LWN Grumpy Editor series.

Your editor spends a lot of time dealing with PDF files. The proliferation of "profit through litigation" business models has not helped in this regard, but, even without the legal profession's contributions, much text of interest comes in the PDF format. As a result, a great deal of your editor's time is spent working in PDF viewers. PDF viewing hassles can rival the holiday season in their ability to make an editor grumpy. There is little to be done about the latter, so it seems like a good time to review the state of the art in free PDF viewers. Maybe, in that realm, something better can be found.

In theory, PDF viewers require little in the way of features. They should present the contents of a file in a quick and readable manner, allow navigation through the file, support printing of (parts of) a PDF file, etc. So it should not be that hard to get things right. One would think. In practice, your editor has found that the quality of the available PDF viewers varies significantly, both in terms of the interface they provide and how well they simply work.

There are two base platforms upon which PDF viewers are built. Some are front ends to the ghostscript utility. Ghostscript is a large, complex, and not entirely bug-free utility (it is also a crucial part of many Linux systems); its strengths and shortcomings will be reflected in any PDF viewers built on it. Most other viewers are built on xpdf. We'll start with the ghostscript-based viewers.

GNOME Ghostview (ggv)

The GNOME PDF viewer of long standing is ggv. Interestingly, this utility seems to lack a web site, though there is an online manual available which is only slightly out of date. The most recent ggv release was in September of 2004, as part of the GNOME 2.8 package. It is a ghostscript-based viewer.

The ggv screen includes a left-hand side bar which allows instant access to any page in the document. Pages can also be marked, either directly with a mouse click or with buttons which mark all pages, or just the even or odd ones.

There is an option which can be used to print only the pages which have been marked. The "print" button in the menu bar, however, just dumps the entire file into the print subsystem without providing any opportunity for the user to redirect the job or cancel the operation entirely. Your editor, who prefers to fire up his monster duplexing laser printer for the rare large print job, gets grumpy indeed at utilities which throw output at the little inkjet printer without even asking. One should not be able to dump hundreds of pages onto a printer with a single click.

ggv does not take a whole lot of clues from the document regarding its orientation; a file which looks to be in portrait mode, but which has pages that are wider than they are tall, can be presented (and printed!) in the wrong orientation. The window size is always whatever the user used the last time around, and does not react to the orientation of the document. It is possible to ask ggv to zoom the document to fit within the window it has (a nice feature), but doing so disables the manual zoom operations (which is not). The scrollwheel may be used to move within a single page, but it will not scroll between pages, making it mostly useless.

Every now and then your editor encounters a document which ggv is unable to render. With such documents, the usual result is a blank window, which is not particularly edifying.

The visual quality of ggv's output is good; it runs ghostscript in a high-quality, antialiased mode. There is a reasonable set of configuration options for a number of aspects of ggv's operation, including how it uses ghostscript. If it were not for occasional reliability problems and a number of user interface issues, it would be a contender for this editor's favor.

kghostview

The KDE contribution in the PDF viewer arena is kghostview, shipped as part of the kdegraphics package. Like ggv, kghostview uses ghostscript as a back end; as a result, it tends to fail on the same PDF files that confuse ggv. In many ways, kghostview comes across like ggv with a KDE look; it provides many of the same features. There are some differences, however.

Like ggv, kghostview provides a navigation bar on the left side; it also allows for the marking of articles. The kghostview version is different, however, in that it includes thumbnail images of each page. These thumbnails take space, making it more likely that the user will have to scroll the navigation bar. They are, however, very nice to have when one is looking for a specific page - the beginning of a section, say, or the end of an interminable table of contents. The thumbnails, alone, make kghostview a nicer tool to use than ggv.

kghostview has a friendlier interface for printing, allowing just about any behavior to be configured. Among other things, kghostview can do 2-up or 4-up printing, which can be useful for many documents. Printing can be restricted to marked pages. And, crucially, nothing is actually sent to the printer until the user has confirmed the operation.

Scrolling through the document with the scrollwheel is supported. If the user scrolls several pages, the application does the right thing - it does not take the time to render the pages in the middle. A single keystroke will fit the rendered document into the current window without disabling the regular zoom operations. If you are currently only viewing part of a page, you can drag a box around in a special thumbnail image to move to any part of that page.

In general, the interface provided by kghostview is as nice as any PDF viewer your editor has been able to find. It is clearly a tool which has received some serious thought - and use - by its developers.

xpdf

xpdf differs from the viewers we have seen thus far in that it is not based on ghostscript; instead, it contains its own PDF interpreter and rendering engine. A couple of the immediate consequences of that difference are (1) xpdf is rather faster than the

ghostscript-based viewers, and (2) xpdf can often display documents which are not viewable with the other tools. In other words, xpdf is an important tool for those of us who end up working with PDF files often.

It is worth noting that, unlike the ghostscript-based viewers, xpdf (and others built on it) cannot handle PostScript files. That is a fundamental limitation, but, perhaps, also the source of xpdf's speed and robustness.

Compared to the GNOME and KDE viewers, xpdf is a minimalist tool. There are no menu bars, no fancy configuration widgets, and no navigation side bars. A small set of buttons at the bottom of the screen allows for movement through the file, including the ability to go to an absolute page number. A small menu gives a set of zoom options, including a couple of "fit to page" modes. Your editor notes that, when "fit to page" is enabled, the application responds poorly when its window is resized; it fails to skip intervening X resize events, and thus has to render the page numerous times. If you drag the corner of an xpdf window around for a few seconds, you can end up waiting for some time before it catches up.

The apparent simplicity of the xpdf interface hides a couple of vastly useful features. One of those is a "find in text" button, cleverly disguised as a pair of binoculars. If you have ever tried to find a particular string in a PDF file, this capability is priceless. Equally useful, if you are one of those strange people who writes articles about things found in PDF files, is the ability to cut and paste text from those files. Both of these functions silently fail if the file's text is in an image format - as is the case with many scanned legal documents. But, when they work, they are highly useful.

According to its web site, xpdf has the ability to work with encrypted PDF documents. Your editor, not having any such documents sitting around, was not able to try out that capability.

Navigation through PDF files is quick and straightforward, though it would be nice to have a side bar for going directly to pages. xpdf maintains a navigation history which can be useful for bouncing back and forth between specific pages. The scrollwheel works as one would expect. Printing support is minimal, but it has the features one really needs: the ability to print a (contiguous) subset of the file, and to specify which printer is to be used.

gpdf

gpdf is a GNOME-based PDF viewer built upon xpdf. As such, it shares the robustness and speed of xpdf. The gpdf developers, however, have added some new

features of their own - and left others out.

gpdf provides a rather confusing toolbar at the top of the page. It is far from clear, for example, how the buttons marked "next" and "previous" differ from those marked "forward" and "back". There are two downward-pointing arrows; experimentation shows that one brings up a file history menu, while the other contains anything which doesn't fit in the toolbar at the current window width. There is a side bar in gpdf. It looks as if, someday, it is meant to contain page thumbnails, but, with gpdf 2.8.0, it renders pages as blank white rectangles with drop shadows. For whatever reason, it uses a two-column format, requiring the user to make the side bar very wide, or to do a bunch of horizontal scrolling.

gpdf uses the GNOME printing widget, so it provides a higher degree of control over printing than xpdf. It can put multiple PDF file pages onto each printed page. Better printing support is a definite improvement over xpdf.

On the other hand, gpdf lacks xpdf's scrollwheel support. It does not provide the "find in text" and "cut and paste" capabilities, which, it seems, are unique to xpdf. It is not clear why those features are missing; one might guess that gpdf forked the xpdf code base before they were added.

kpdf

The first impression one gets of kpdf is that it looks much like kghostview. It has essentially the same icon layout, and a very similar

side bar with page thumbnails. kpdf, however, is an entirely different application, built on xpdf. Like gpdf, it seems to have left out many of the unique xpdf features.

kpdf is a relatively immature work. Its rendering is poor, by far the worst of any of the PDF viewers reviewed. Somehow, kpdf does not appear to understand font information well, leading to strange spacing between letters on both Fedora and Debian platforms. kpdf is speedy, however, and many of the important features are there.

It does appear that further work is being done with kpdf, at least if one goes by some screenshots linked to by KDE.News. The images suggest that the current development version supports multiple-page displays, string searches, and more. A future kpdf could well be be best PDF viewer of them all; the current version is too unfinished to be usable, however.

Concluding notes

This review has concerned itself with free PDF viewers. No review of this application space can really get away with ignoring Adobe Reader (acroread), however. This tool is certainly not free software, but there is a free-beer version available for x86 Linux systems. It is an old version; Adobe Reader 6 is not available for Linux. Even the older version, however, has its value. Occasionally a PDF file will come along that is so strange that no free viewer can cope with it. Acroread can be counted upon to work in such situations. It is, thus, one of exactly two proprietary programs on your editor's system.

Happily, free PDF viewers have come far enough along that having to fall back to acroread is a rare event.

The free PDF viewer state of the art has advanced in recent years, which is a good thing. This is an area where, for quite some time, the free alternatives lagged far behind. Now we have a wealth of viable programs to choose from. Too many, perhaps. Your editor might like it better if the development community would come together on, say, two viewers, and cooperate on making those two the best they can be. The history of these projects suggests that will not happen, however. There are two rendering engines (ghostscript and xpdf), multiplied by two desktop systems. Crossing those lines can be hard. We are likely to have a large set of actively-developed PDF viewers for some time yet.

Comments (70 posted)

Debian and the hot babe problem

This Intent To Package posting was guaranteed to raise a bit of a fuss. The program involved is hot-babe, a graphical CPU utilization monitor. It works by displaying a typical Bruno Bellamy drawing of a minimally-clad, maximally-endowed woman. As the CPU gets busier ("hotter"), the woman undresses to compensate. Your editor, whose journalistic ethics required that he investigate this utility, found it to be an amusing addition to the desktop - for about five minutes, or until the children walk in, whichever comes first.

The Debian developers raised the obvious, predictable objection to the inclusion of this utility: the associated images were covered by a non-free license.

Once that little issue was cleared up (the artist made the drawings available under the Artistic License), the way was cleared for the other predictable argument: should a utility seen by some as pornographic be part of the Debian distribution? On the face of it, there would appear to be little basis for keeping it out. The Debian standards for software require that it be free; there is nothing in the software guidelines or social contract about not being offensive to anybody.

There is no doubt that inclusion of hot-babe into Debian is asking for certain kinds of trouble. The imagery involved is no worse than that found on many European billboards, but it will go against many American "community standards" and is completely out of line by the standards of many other parts of the world. Including hot-babe in Debian will render the distribution unsafe for work environments in many places, will complicate the work of those trying to deploy it in libraries and schools, and will simply offend a certain number of the distribution's users.

Then again, the same could be said of fortunes-off, the King James Bible, or the Anarchist FAQ, all of which are already part of Debian. Some people are probably offended by fsck, Doom, or the emacs Zippy quotes file. Your editor, offended by illegible text, immediately and violently disables "color ls" on every system he installs. Creating an offense-free distribution can be a hard task even for companies which adopt that goal explicitly; it's pretty much impossible for a distribution which values freedom, and which has dedicated itself to becoming the biggest collection of free software around.

Unless the Debian Project changes its social contract to allow the exclusion of packages on moral grounds, tools like hot-babe will find a home there. Debian is, increasingly, the master repository for a family of distributions; it should probably be as inclusive as possible. Most of the distributions built on top of Debian, such as Linspire, Xandros, Skolelinux, LinEx, or Ubuntu, apply some discretion in the packages they select. They are unlikely to include tools like hot-babe, and, thus, may be considered safer versions to use in situations where somebody may get offended.

Well, OK, perhaps we can't be too sure with Ubuntu.

Linux developers and distributors clearly must be sensitive to the needs and feelings of their users. The needs that come first and foremost for Debian users are freedom and quality. Applying any other sort of filter to Debian would change that distribution in a fundamental way. The nice thing about Linux is that distributions can be made for a wide variety of audiences. A safe-for-schools version of Debian can be distributed without imposing additional standards on Debian itself. Linux can be configured to meet the tastes, morals, and standards of almost any group of users, without inflicting those standards on others. That is freedom at its best, and how it should be.

Except that your editor really would like to see color ls abolished everywhere.

Comments (55 posted)

Page editor: Jonathan Corbet

Security

A java vulnerability

December 1, 2004

This article was contributed by Jake Edge.

A vulnerability recently reported in Sun's Java browser plugin could provide the basis for one of the first cross-platform exploits. The vulnerability allows a malicious program to break out of the Java security sandbox and perform any action that the browser user has permission to do. That could include destructive filesystem changes, network access, sending email, etc. A user with a Java enabled browser would only need to visit a website that has been crafted to exploit this vulnerability and would fall victim to whatever the malware author intended.

The Java sandbox is intended to restrict Java applets so that they can only access certain approved packages in the Java virtual machine, packages that do not access anything outside of the sandbox. The exploit works by using JavaScript to acquire a reference to packages outside of the approved list and then passing that reference to an applet, subverting the sandbox. Disabling either JavaScript or the Java plugin in the browser will protect users until they can upgrade.

The vulnerability was discovered by Jouko Pynnonen in April, was fixed by Sun in October and was announced last week. Java plugin versions 1.4.2_04 and 1.4.2_05 (and presumably earlier versions as well) were found to be vulnerable on both Linux and Windows. Sun has released version 1.4.2_06 that fixes the problem. For a company that touts the security features of its Java technology, as Sun does, 5-6 months between discovery and a fix for a critical security hole seems overly long.

This vulnerability is very different from others we have seen because it exploits a problem in a technology that is specifically focused on cross-platform support. The same Java Runtime Environment (JRE) code base runs on most modern operating systems and underlies the Java support in most browsers. A significant security breakdown in the JRE affects the vast majority of Java enabled browsers in the world, including Firefox, Mozilla, and Internet Explorer. According to this posting on the Full Disclosure mailing list, Opera allows access to the restricted packages in the default security configuration and no exploit is needed to subvert the sandbox.

There are additional concerns for Netscape and IE users because applets can request particular versions of the plugin and, if that version is still installed, the browser will use it. In some cases, if the version is not installed, the user will be prompted to download and install it. This could allow a malware author to ensure that his code is running on a vulnerable JRE.

Due to Sun licensing constraints, free and open source browsers and operating systems cannot bundle the JRE and cannot do an automatic security update of the JRE. Proprietary OS and browser vendors are in the same boat unless they have licensed the JRE from Sun. The end result is that most users will need to get the updated JRE from Sun directly. As many users are not particularly diligent about seeking out security upgrades, this could leave a significant number of systems unpatched and provide an opportunity for some kind of malware to exploit this hole.

Comments (9 posted)

Brief items

SCO.com defaced

Somebody managed to deface SCO's web site (running on Apache and Linux, incidentally) over the weekend. For those who have to see it, images have been posted at Netcraft and The Inquirer. This crack may be good for a quick smile, but attacks of this nature are not the way to defeat SCO. Look for the inevitable "see how Linux users behave" press release in the near future.

Comments (22 posted)

New vulnerabilities

a2ps: input validation error

Package(s):

a2ps

CVE #(s):

CAN-2004-1170 CAN-2004-1377

Created:

November 26, 2004

Updated:

December 19, 2005

Description:

The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.

Alerts:

Fedora-Legacy	FLSA:152870	2005-12-17
Mandriva	MDKSA-2005:097	2005-06-07
OpenPKG	OpenPKG-SA-2005.003	2005-01-17
Gentoo	200501-02	2005-01-04
Debian	DSA-612-1	2004-12-20
Mandrake	MDKSA-2004:140	2004-11-25

LWN.net Weekly Edition for December 2, 2004

GNOME Ghostview (ggv)

kghostview

xpdf

gpdf

kpdf

Concluding notes

a2ps: input validation error

nfs-utils: denial of service

Open DC Hub: remote code execution

phpbb: input sanitizing

phpMyAdmin: cross-site scripting

phpWebSite: HTTP response splitting

sun-jre: Java plugin vulnerability

TWiki: input sanitizing

yardradius: buffer overflow

apache: arbitrary code execution

apache2: denial of service

aspell: bounds checking problem

BNC: Buffer overflow vulnerability

cdrecord: failure to drop privilege

ncompress: Buffer overflow

cyrus-imap: multiple remote vulnerabilities

cyrus-sasl: remote buffer overflow

dhcp: format string vulnerability

Filename disclosure vulnerability in fam

flim: insecure file creation

Foomatic: Arbitrary command execution in foomatic-rip

FreeRADIUS: denial of service

gaim: buffer overflow in MSN protocol

Gallery: cross-site scripting vulnerability

gtk2, gdk-pixbuf: buffer overflows

gettext: Insecure temporary file handling

ghostscript: symlink vulnerabilities

glibc: Information leak with LD_DEBUG

glibc: tempfile vulnerability in catchsegv script

gnome-vfs: backend script vulnerabilities

groff: insecure temporary directory

gtkhtml: malformed messages cause crash

gzip: insecure temporary files

imagemagick: buffer overflow vulnerability

ImageMagick: EXIF buffer overflow

imlib2: buffer overflows

iproute: local denial of service

iptables: missing initialization

kernel: vulnerabilities in the smb file system

kernel-utils: setuid vulnerability

libgd2: buffer overflows in PNG handling

libpng: multiple vulnerabilities

libxml2 - arbitrary code execution

libxml2: multiple buffer overflows

libxpm4: stack and integer overflows

logcheck: symlink vulnerability

lvm10: creates insecure temporary directory

Midnight Commander: extfs vfs vulnerability

mikmod: buffer overflow

mozilla products: arbitrary code execution and other vulnerabilities

mpg123: buffer overflow bug

mpg321: format string vulnerability

mysql: several vulnerabilities

netkit-telnet: invalid free pointer

netpbm: insecure temporary files

openssh: timing attack leads to information disclosure

openssl: der_chop script temp file vulnerability

OpenSSL: denial of service vulnerabilities

perl: insecure temp file creation

php: remotely exploitable memory errors

PostgreSQL: Insecure temporary file use in make_oidjoins_check

ProZilla: Multiple vulnerabilities

qt3: BMP image parser heap overflow

rp-pppoe, pppoe: missing privilege dropping

ruby: infinite loop

samba: remote DoS vulnerability

sharutils: arbitrary code execution

sox: buffer overflow

SpamAssassin: Denial of Service vulnerability

SquirrelMail: cross-site scripting

Subversion: Remote heap overflow

sudo: environment variable sanitizing

File overwrite vulnerability in tar and unzip