Don't want to see articles from a certain category? When logged in, go to your User Settings and adjust your feed in the Content Preferences section where you can block tags!
We do often include affiliate links to earn us some pennies. See more here.

3rd party KDE Plasma Global Themes and Widgets can lead to data loss

By - | Views: 39,312

Uh oh. Seems there's been an issue lately with Global Themes for KDE, which has ended up causing a total wipe of data. The issue is that KDE Global Themes can run arbitrary code, so they can really mess with your system, so you're advised not to use them.

Writing on Mastodon the official KDE account put out a warning across multiple posts copied below:

WARNING: Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code. You are encouraged to exercise extreme caution when using these products.

A user has had a bad experience installing a global theme on Plasma and lost personal data.

https://www.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/

Global themes change the look of Plasma, but also the behavior. To do this they run code, and this code can be faulty, as in the case mentioned above. The same goes for widgets and plasmoids.

Continuing…

We are calling on the community to help us locate and quarantine defective software by using the "Report" buttons available on each item in the KDE Store.

https://store.kde.org

Please see the attached image to locate them.

And more…

Meanwhile, KDE is taking measures to properly warn users before each download and we are also putting in place ways of auditing and curating what is uploaded to the KDE store.

https://blog.davidedmundson.co.uk/blog/kde-store-content/

Nevertheless, this will take time and resources. We recommend all users to be careful when installing and running software not provided directly by KDE or your distros.

And remember to report any faulty products you find!

As written up by David Edmundson in the blog link above, this specific case was not intentional but as a result of "a mistake in some shell parsing". Edmundson suggests that if you have used the KDE addon store give it a look over.

Quite a problem, that's going to need some proper long-term solutions to prevent this happening again.

This certainly isn't the first time we've seen issues with scripts nuking a Linux system. Like how a Steam bug removed everything for a user back in 2015. Linux distros by default all really need more protections in place on the rm command.

Article taken from GamingOnLinux.com.
14 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. Find me on Mastodon.
See more from me
28 comments
Page: 1/3»
  Go to:

pb Mar 21
That reminds of that one time when I wrote a little script for myself to rename photos based on exif data, and a friend wanted me to share it, so I did, and he used it in a slightly different way and lost a bunch of photos. Sharing is caring, but trust no one.


Last edited by pb on 21 March 2024 at 2:21 pm UTC
dpanter Mar 21
Like always, the fastest way to wreck your KDE system is messing with themes.
We're not going to learn this lesson, are we? Ricers gotta rice.
bisbyx 9 years Mar 21
 
  # figure out the absolute path to the script being run a bit
  # non-obvious, the ${0%/*} pulls the path out of $0, cd's into the
  # specified directory, then uses $PWD to figure out where that
  # directory lives - and all this in a subshell, so we don't affect
  # $PWD
  STEAMROOT="$(cd "${0%/*}" && echo $PWD)"
  [...]
  # Scary!
  rm -rf "$STEAMROOT/"*


Steam used to do this too, back in early 2015. (For the uninitiated, if $STEAMROOT somehow winds up being unset, this is literally steam running `rm -rf /*`

https://github.com/ValveSoftware/steam-for-linux/issues/3671
Pengling Mar 21
View PC info
  • Supporter
Oh yikes... Remember to always keep up-to-date backups, folks!
Eike Mar 21
View PC info
  • Supporter Plus
Quoting: pbThat reminds of that one time when I wrote a little script for myself to rename photos based on exif data, and a friend wanted me to share it, so I did, and he used it in a slightly different way and lost a bunch of photos. Sharing is caring, but trust no one.

Have to say here: krename is great!
pb Mar 21
Quoting: PenglingOh yikes... Remember to always keep up-to-date backups, folks!

kokoko3k Mar 21
You can't protect yourself by just blaming the rm command.
Every command that can print can also overwrite contents with a simple redirection from stdout to a file, not to mention mv, cp, rsync... whatever.

Why on earth a global theme can execute arbitrary shell commands is my first concern.


Last edited by kokoko3k on 21 March 2024 at 6:43 pm UTC
Interknet Mar 21
Remember when we used to reiterate the importance of reading code that you download online? Just me?
Liam Dawe Mar 21
Quoting: InterknetRemember when we used to reiterate the importance of reading code that you download online? Just me?
People don't expect that downloading what is a new look, will execute random code. No one should have to go and fully inspect everything they download, the OS needs safeguards which here are clearly lacking.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register


Or login with...
Sign in with Steam Sign in with Google
Social logins require cookies to stay logged in.