Uh oh. Seems there's been an issue lately with Global Themes for KDE, which has ended up causing a total wipe of data. The issue is that KDE Global Themes can run arbitrary code, so they can really mess with your system, so you're advised not to use them.
Writing on Mastodon the official KDE account put out a warning across multiple posts copied below:
WARNING: Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code. You are encouraged to exercise extreme caution when using these products.
A user has had a bad experience installing a global theme on Plasma and lost personal data.
https://www.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/
Global themes change the look of Plasma, but also the behavior. To do this they run code, and this code can be faulty, as in the case mentioned above. The same goes for widgets and plasmoids.
Continuing…
We are calling on the community to help us locate and quarantine defective software by using the "Report" buttons available on each item in the KDE Store.
Please see the attached image to locate them.
And more…
Meanwhile, KDE is taking measures to properly warn users before each download and we are also putting in place ways of auditing and curating what is uploaded to the KDE store.
https://blog.davidedmundson.co.uk/blog/kde-store-content/
Nevertheless, this will take time and resources. We recommend all users to be careful when installing and running software not provided directly by KDE or your distros.
And remember to report any faulty products you find!
As written up by David Edmundson in the blog link above, this specific case was not intentional but as a result of "a mistake in some shell parsing". Edmundson suggests that if you have used the KDE addon store give it a look over.
Quite a problem, that's going to need some proper long-term solutions to prevent this happening again.
This certainly isn't the first time we've seen issues with scripts nuking a Linux system. Like how a Steam bug removed everything for a user back in 2015. Linux distros by default all really need more protections in place on the rm command.
Article taken from GamingOnLinux.com.
Last edited by pb on 21 March 2024 at 2:21 pm UTC
Linux_Rocks Mar 21
We're not going to learn this lesson, are we? Ricers gotta rice.
# figure out the absolute path to the script being run a bit
# non-obvious, the ${0%/*} pulls the path out of $0, cd's into the
# specified directory, then uses $PWD to figure out where that
# directory lives - and all this in a subshell, so we don't affect
# $PWD
STEAMROOT="$(cd "${0%/*}" && echo $PWD)"
[...]
# Scary!
rm -rf "$STEAMROOT/"*Steam used to do this too, back in early 2015. (For the uninitiated, if $STEAMROOT somehow winds up being unset, this is literally steam running `rm -rf /*`
https://github.com/ValveSoftware/steam-for-linux/issues/3671
Quoting: pbThat reminds of that one time when I wrote a little script for myself to rename photos based on exif data, and a friend wanted me to share it, so I did, and he used it in a slightly different way and lost a bunch of photos. Sharing is caring, but trust no one.
Have to say here: krename is great!
Quoting: PenglingOh yikes... Remember to always keep up-to-date backups, folks!
Every command that can print can also overwrite contents with a simple redirection from stdout to a file, not to mention mv, cp, rsync... whatever.
Why on earth a global theme can execute arbitrary shell commands is my first concern.
Last edited by kokoko3k on 21 March 2024 at 6:43 pm UTC
Quoting: InterknetRemember when we used to reiterate the importance of reading code that you download online? Just me?People don't expect that downloading what is a new look, will execute random code. No one should have to go and fully inspect everything they download, the OS needs safeguards which here are clearly lacking.
Patreon
PayPal
See more from me