For those not in the know: aussie man explains. A KDE Plasma 6 global theme deleted a user’s files. Global themes may contain arbitrary Javascript code, and a bug (using a library written for Plasma 5) caused it to essentially run
rm -rf /*
, Steam-style. KDE have since removed the theme and are considering next steps to warn the user that the “official” KDE store contains user-submitted content, and that some addons may contain potentially dangerous code.I still remember that video I watched where a line in the Steam code back in the day was titled SCARY!!! and it was rm -rf $STEAMROOT. This nuked a guy’s computer because short answer $STEAMROOT was actually / root, long answer here’s the video. This nuked both his PC and his external drive that is some pretty bad code but this JavaScript code is up there
That’s the issue I linked. The problem was that at some point a script executed
rm -rf "$STEAMROOT/*"
, but did not make sure that$STEAMROOT
was set. If for some reason it was empty, the path became/*
after substitution.So would it be funny if I made a meme like this except it was with the trojan horse meme template? I kinda want to
Gottem
Seriously though we need to work on improving security. A theme probably shouldn’t be running code and if it is it needs to be sandboxed with its only access being an API
It’s kind of horrifying nobody thought that through. What else did they fail to think about?
I know I’m late with this but it’s not just a theme. It’s a global theme. Those need to run code, so they really can’t be sandboxed the same way a regular theme can be
Why do themes need to run code?
Real “What does God need with a starship?” energy.
They shouldnt. At least use some kind of super locked down API if you’re gonna let people use javascript of all things in your theming system god damn
Actually I’m pretty sure C would be much worse
Well, you can literally create a C program in bash using themes, compile and execute it.
So they can include cool features like auto debloating /home/
Setting themes do mant things and they are not like adding a colorscheme or so. Like there are tweaks that comes wuth themes which needs shell access to heavily modify the desktop
People in one of the other threads were speculating that it is widgets, or one theme that is able to do multiple configurations. Really should be containerized or something, tho.
Theme applied successfully!
Yeah, shouldn’t it say something like “ha ha get fucked”?
is this the reason Bleeping Computer made that article about malicious KDE themes? i saw it in my feed but didn’t think much of it
Fucking CJS. Please use ESM to delete all my files 🙏
Make this go away. Malicious “jokes” like this one do not deserve any clout.
rm -f sense_of_humor.bin
rm: sense_of_humor.bin: No such file or directory
Changelog: Hi, guys. So you probably noticed that I pulled the humour repo. Short answer is it was conflicting with everything, and I don’t have the time or energy to fix it. My advice is to remove humour from your dependancies and purge it from the system.
Sorry, I know how important humour is to some of you. If anyone wants to take up maintenance of the repo, I can mail you the terabytes of error logs you need to sort through.
rm -rf $SENSE_OF_HUMOR/*
I wasn’t originally going to up vote this post because of laziness, but your comment inspired me to lmao