75
Malicious KDE theme can wipe out all your data (www.reddit.com)
submitted 6 months ago* (last edited 6 months ago) by wisha@lemmy.ml to c/kde@lemmy.kde.social
13 comments fedilink hide all child comments

Or is it just buggy?

all 14 comments
sorted by: hot top controversial new old
[-] possiblylinux127@lemmy.zip 14 points 6 months ago

This is why we need sandboxing. Right now the Linux desktop is still lacking in terms of security

[-] mvirts@lemmy.world 12 points 6 months ago

Great time to mention tools like testdisk that can easily recover data that has been recently deleted on common filesystems.

[-] Bro666@lemmy.kde.social 8 points 6 months ago

Not malicious. Just buggy -- a downright nasty bug, but a bug.

[-] Pantherina@feddit.de 3 points 6 months ago

Extensions need to follow standards, and be installed as non-executable files in defined categories.

Everything else has to be removed or behind a huge warning.

[-] Bro666@lemmy.kde.social 6 points 6 months ago

That is not possible. widgets and Global themes have to be able to execute code to work.

By the way: the code was not malicious, just badly written.

[-] Pantherina@feddit.de 1 points 6 months ago

Why do global themes need to do that? Arent they just color and image files, maybe audio?

It doesnt really matter if the code was malicious or not, this should not be possible.

Another example of how damn insecure linux is. Just because its not the snap store, we dont have tons of malicious addons on pling.

[-] kde@floss.social 10 points 6 months ago

@Pantherina @Bro666

That is regular themes.

_Global_ themes also modify the desktop's behavior and hence contain code to do that.

[-] Sabata11792@kbin.social 3 points 6 months ago

Reading the comments, looks like bad/old code mixed with a big update rather than anything malicious. I even ran into themes that killed my KDE last night. Had to purge the configs themes to get it working. Damn glad I didn't wipe my entire setup.

[-] Bro666@lemmy.kde.social 6 points 6 months ago

Correct. The theme creator missed a variable that is not part of the Plasma environment anymore, and instead of running

rm -Rf [something]

it run

rm -Rf

😬

[-] jaxil6@futurology.today 2 points 6 months ago

I thought wayland was supposed to improve security. Were the past 18 years a lie?

[-] Pantherina@feddit.de 13 points 6 months ago

Uhm, Wayland improves security but its just one component. Will a bash script work the same on Wayland as on XOrg? Yes.

[-] Bro666@lemmy.kde.social 7 points 6 months ago

You must have heard that old chestnut about how "the weakest security link in the security chain is the user" by now. There is nothing any technology can do if the user decides to install insecure stuff. Even before today, the KDE Store prominently displayed warnings about being careful with the content.

this post was submitted on 20 Mar 2024
75 points (100.0% liked)

KDE

5056 readers
63 users here now

KDE is an international technology team creating user-friendly free and open source software for desktop and portable computing. KDE’s software runs on GNU/Linux, BSD and other operating systems, including Windows.

Plasma 6 Bugs

If you encounter a bug, proceed to https://bugs.kde.org, check whether it has been reported.

If it hasn't, report it yourself.

PLEASE THINK CAREFULLY BEFORE POSTING HERE.

Developers do not look for reports on social media, so they will not see it and all it does is clutter up the feed.

founded 1 year ago
MODERATORS
carlschwan@lemmy.kde.social
Bro666@lemmy.kde.social
herzenschein@pawb.social
Aniqakhokhar@lemmy.kde.social