• rtxn@lemmy.worldM
    link
    fedilink
    English
    arrow-up
    93
    ·
    edit-2
    8 months ago

    For those not in the know: aussie man explains. A KDE Plasma 6 global theme deleted a user’s files. Global themes may contain arbitrary Javascript code, and a bug (using a library written for Plasma 5) caused it to essentially run rm -rf /*, Steam-style. KDE have since removed the theme and are considering next steps to warn the user that the “official” KDE store contains user-submitted content, and that some addons may contain potentially dangerous code.

    • KuroeNekoDemon@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      30
      ·
      edit-2
      8 months ago

      I still remember that video I watched where a line in the Steam code back in the day was titled SCARY!!! and it was rm -rf $STEAMROOT. This nuked a guy’s computer because short answer $STEAMROOT was actually / root, long answer here’s the video. This nuked both his PC and his external drive that is some pretty bad code but this JavaScript code is up there

      • rtxn@lemmy.worldM
        link
        fedilink
        English
        arrow-up
        31
        ·
        8 months ago

        That’s the issue I linked. The problem was that at some point a script executed rm -rf "$STEAMROOT/*", but did not make sure that $STEAMROOT was set. If for some reason it was empty, the path became /* after substitution.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    29
    ·
    8 months ago

    Gottem

    Seriously though we need to work on improving security. A theme probably shouldn’t be running code and if it is it needs to be sandboxed with its only access being an API

      • Kusimulkku@lemm.ee
        link
        fedilink
        arrow-up
        2
        ·
        8 months ago

        I know I’m late with this but it’s not just a theme. It’s a global theme. Those need to run code, so they really can’t be sandboxed the same way a regular theme can be

  • EndHD@lemm.ee
    link
    fedilink
    arrow-up
    12
    ·
    8 months ago

    is this the reason Bleeping Computer made that article about malicious KDE themes? i saw it in my feed but didn’t think much of it

  • Norgur@fedia.io
    link
    fedilink
    arrow-up
    5
    arrow-down
    39
    ·
    8 months ago

    Make this go away. Malicious “jokes” like this one do not deserve any clout.

      • XEAL@lemm.ee
        link
        fedilink
        arrow-up
        57
        arrow-down
        2
        ·
        8 months ago

        rm: sense_of_humor.bin: No such file or directory

        • Andonno@lemmy.world
          link
          fedilink
          arrow-up
          36
          arrow-down
          1
          ·
          8 months ago

          Changelog: Hi, guys. So you probably noticed that I pulled the humour repo. Short answer is it was conflicting with everything, and I don’t have the time or energy to fix it. My advice is to remove humour from your dependancies and purge it from the system.

          Sorry, I know how important humour is to some of you. If anyone wants to take up maintenance of the repo, I can mail you the terabytes of error logs you need to sort through.

    • cm0002@lemmy.world
      link
      fedilink
      arrow-up
      9
      arrow-down
      1
      ·
      8 months ago

      I wasn’t originally going to up vote this post because of laziness, but your comment inspired me to lmao