Check out our Monthly Survey Page to see what our users are running.
We do often include affiliate links to earn us some pennies. See more here.

Uh oh. Seems there's been an issue lately with Global Themes for KDE, which has ended up causing a total wipe of data. The issue is that KDE Global Themes can run arbitrary code, so they can really mess with your system, so you're advised not to use them.

Writing on Mastodon the official KDE account put out a warning across multiple posts copied below:

WARNING: Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code. You are encouraged to exercise extreme caution when using these products.

A user has had a bad experience installing a global theme on Plasma and lost personal data.

https://www.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/

Global themes change the look of Plasma, but also the behavior. To do this they run code, and this code can be faulty, as in the case mentioned above. The same goes for widgets and plasmoids.

Continuing…

We are calling on the community to help us locate and quarantine defective software by using the "Report" buttons available on each item in the KDE Store.

https://store.kde.org

Please see the attached image to locate them.

And more…

Meanwhile, KDE is taking measures to properly warn users before each download and we are also putting in place ways of auditing and curating what is uploaded to the KDE store.

https://blog.davidedmundson.co.uk/blog/kde-store-content/

Nevertheless, this will take time and resources. We recommend all users to be careful when installing and running software not provided directly by KDE or your distros.

And remember to report any faulty products you find!

As written up by David Edmundson in the blog link above, this specific case was not intentional but as a result of "a mistake in some shell parsing". Edmundson suggests that if you have used the KDE addon store give it a look over.

Quite a problem, that's going to need some proper long-term solutions to prevent this happening again.

This certainly isn't the first time we've seen issues with scripts nuking a Linux system. Like how a Steam bug removed everything for a user back in 2015. Linux distros by default all really need more protections in place on the rm command.

Article taken from GamingOnLinux.com.
14 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
28 comments
Page: 1/2»
  Go to:

pb Mar 21
That reminds of that one time when I wrote a little script for myself to rename photos based on exif data, and a friend wanted me to share it, so I did, and he used it in a slightly different way and lost a bunch of photos. Sharing is caring, but trust no one.


Last edited by pb on 21 March 2024 at 2:21 pm UTC
dpanter Mar 21
Like always, the fastest way to wreck your KDE system is messing with themes.
We're not going to learn this lesson, are we? Ricers gotta rice.
bisbyx Mar 21
 
  # figure out the absolute path to the script being run a bit
  # non-obvious, the ${0%/*} pulls the path out of $0, cd's into the
  # specified directory, then uses $PWD to figure out where that
  # directory lives - and all this in a subshell, so we don't affect
  # $PWD
  STEAMROOT="$(cd "${0%/*}" && echo $PWD)"
  [...]
  # Scary!
  rm -rf "$STEAMROOT/"*


Steam used to do this too, back in early 2015. (For the uninitiated, if $STEAMROOT somehow winds up being unset, this is literally steam running `rm -rf /*`

https://github.com/ValveSoftware/steam-for-linux/issues/3671
Pengling Mar 21
Oh yikes... Remember to always keep up-to-date backups, folks!
Eike Mar 21
View PC info
  • Supporter Plus
Quoting: pbThat reminds of that one time when I wrote a little script for myself to rename photos based on exif data, and a friend wanted me to share it, so I did, and he used it in a slightly different way and lost a bunch of photos. Sharing is caring, but trust no one.

Have to say here: krename is great!
pb Mar 21
Quoting: PenglingOh yikes... Remember to always keep up-to-date backups, folks!

kokoko3k Mar 21
You can't protect yourself by just blaming the rm command.
Every command that can print can also overwrite contents with a simple redirection from stdout to a file, not to mention mv, cp, rsync... whatever.

Why on earth a global theme can execute arbitrary shell commands is my first concern.


Last edited by kokoko3k on 21 March 2024 at 6:43 pm UTC
Interknet Mar 21
Remember when we used to reiterate the importance of reading code that you download online? Just me?
Liam Dawe Mar 21
Quoting: InterknetRemember when we used to reiterate the importance of reading code that you download online? Just me?
People don't expect that downloading what is a new look, will execute random code. No one should have to go and fully inspect everything they download, the OS needs safeguards which here are clearly lacking.
akselmo Mar 21
Before anyone goes "curate the store" then I need to ask you: With what resources? Are you going to do it? There's really not enough people to curate the place considering how much stuff gets uploaded there. If you're willing to help then that would be awesome though!

Second, "just remove the thing" is also something that yes, it's the obvious way, but then people will complain nothing works anymore.

Personally I was not even aware global themes can do this, but as far as I know, it should be only global themes and maybe widgets that can run stuff.

The whole thing needs improvement, that's for sure.

Edit: If I were to be the ultimate dictator of Linux systems, I would just make rm commands ask confirmation and break everyone's shell scripts. ;P


Last edited by akselmo on 21 March 2024 at 5:17 pm UTC
Samsai Mar 21
Changing things so that the global themes cannot do this kind of damage would probably demand pretty drastic changes to the theming and widget systems on KDE. It's worth noting too that installing GNOME Extensions is similarly dangerous in that extensions also have access to the user files and whatnot.

It might be possible to sandbox these things, but that will inevitably lead to these systems becoming less flexible and that will result in complaints about KDE and GNOME restricting user freedom or whatever. Maybe that'll still be worth it for themes but for widgets that'll get pretty tricky.

I guess what they can do fairly easily is more clearly communicate that a theme can run arbitrary code and you shouldn't trust just any theme, widget or extension out there. And then users also needing to obey the warning.
Lofty Mar 21
Quoting: SamsaiChanging things so that the global themes cannot do this kind of damage would probably demand pretty drastic changes to the theming and widget systems on KDE. It's worth noting too that installing GNOME Extensions is similarly dangerous in that extensions also have access to the user files and whatnot.

It might be possible to sandbox these things, but that will inevitably lead to these systems becoming less flexible and that will result in complaints about KDE and GNOME restricting user freedom or whatever. Maybe that'll still be worth it for themes but for widgets that'll get pretty tricky.

I guess what they can do fairly easily is more clearly communicate that a theme can run arbitrary code and you shouldn't trust just any theme, widget or extension out there. And then users also needing to obey the warning.

Thankfully unlike Gnome desktop, KDE Plasma 5 and now 6 are so complete out of the box with regards to desktop functionality ( i.e they operate like a traditional desktop ) that adding a glut of plugins is not required. I have gnome running too on another machine and i need around at least 10 extensions to get it to where i want it ! and they break on every release without fail. I know there are many gnome users with more than that.


On plasma i have two right now, an 'update notifier' (only because so far the arch update notifier on arch doesn't seem to work with plasma 6 but im sure that will be rectified soon) and the fuzzy clock thing for the desktop because .. i like it.

So id say if your wanting that stability (not security as there is like a million other vectors like flatpak for instance ) but a functioning desktop then you can get by with KDE plasma much easier without adding anything.

Checking your pc info reveals you are a gnome user and as such there is a chance that your in the 'i don't need any extensions' catagory but from what i have seen lots of gnome users do.


Last edited by Lofty on 21 March 2024 at 7:01 pm UTC
kokoko3k Mar 21
Quoting: Liam Dawe
Quoting: InterknetRemember when we used to reiterate the importance of reading code that you download online? Just me?
People don't expect that downloading what is a new look, will execute random code. No one should have to go and fully inspect everything they download, the OS needs safeguards which here are clearly lacking.
Linux OS ecosystem have that, it is almost born with that, it is called "distribution".

Then someone sensed a problem and found the wrong cure to it; the stores; wild places where everyone can put stuff with a disclamer that you are responsible for what ypu download; your is the need to check.

So I simply prefer to stay with my distro, no flatpack, no snaps stores and so on.
Samsai Mar 21
Quoting: LoftyChecking your pc info reveals you are a gnome user and as such i expect 'i don't need any extensions' kind of reply but from what i have seen lots of gnome users do.
Actually my response is that I don't care about the flame war. How much you need to customize your DE isn't really the point of the article, the point of the article is that customizing your DE with third-party extensions, regardless of how much or how little you feel like you need to do it, exposes you to the risk of poorly written or malicious third-party code.

My comment was simply about that while the specific problem that the article was about could possibly solved, albeit with significant amounts of work, a similar problem can happen with GNOME extensions too and that solving the problem comes with caveats that some people might not find palatable.
STiAT Mar 21
There is always risk involved. Community stuff is even more risky, but even in properly team-maintained software it happened that somebody could slip in risky stuff.

Glad to see they are looking into a curating/review process, but that will cost a ... lot of manpower, which is sad that people will be spending their time to try to eliminate bad actors.
Lofty Mar 21
Quoting: Samsai
Quoting: LoftyChecking your pc info reveals you are a gnome user and as such i expect 'i don't need any extensions' kind of reply but from what i have seen lots of gnome users do.
Actually my response is that I don't care about the flame war. How much you need to customize your DE isn't really the point of the article, the point of the article is that customizing your DE with third-party extensions, regardless of how much or how little you feel like you need to do it, exposes you to the risk of poorly written or malicious third-party code.

My comment was simply about that while the specific problem that the article was about could possibly solved, albeit with significant amounts of work, a similar problem can happen with GNOME extensions too and that solving the problem comes with caveats that some people might not find palatable.

I have no idea what a flame war is with regards to a desktop environment, but im assuming it involves flame throwers running the linux kernal

Perhaps you misunderstood the post which is if you want to avoid catastrophes such as this but still want tonnes of out of the boxes theming possibilities and a completed desktop without needing a large amount of un-vetted 3rd party extension then KDE Plasma is a better fit than Gnome. Probably always will be. Then again it's upto each person to use what they feel comfortable with their work flow.

That said it's not really a controversial option that gnome is way too wacky for most people arriving as windows refugees, there is also a reason why Valve use it for the Steam Deck.


Last edited by Lofty on 22 March 2024 at 2:50 am UTC
redneckdrow 10 years Mar 21
I would like to point out that no one is immune from an id-10t or PEBCaK error. I have at least three a week!

Still, this is why you read scripts. You shouldn't have to browse the whole thing, or know anything about the language used God knows I don't to spot something nefarious/dumb. Shell scripts especially. If arbitrary code can be run, it will.

I'm reminded of the time some script-kiddie posted an Acrobat Reader PKGBUILD that literally contained a download for a malicious script just by changing the URL. Literally anyone could have caught that just by reading the diff. It doesn't take a genius to see through that.

But, as for a whole source tree for a complex theme, program, or add-on? To heck with that! There really should be safeguards in place. For example, part of the problem no one talks about is the fact that most DEs don't automatically disallow extensions that have ancient code that hasn't been updated in years. This can, at minimum, result in a broken system. Built-in expiration dates might help.

Plasma is far from the only DE with problems in regard to add-ons/themes/extensions/Et cetera. Literally every desktop that supports customization on any OS ever has the same trouble.

There has to be some way to limit it without limiting the end user too much. Here's looking at you, GNOME devs, I'm still sore about you relegating desktop icons to a blasted extension! What's the point of an empty desktop? Why even use a DE at that point, instead of just a window manager, if you want that?
Lofty Mar 21
Quoting: redneckdrowThere has to be some way to limit it without limiting the end user too much. Here's looking at you, GNOME devs, I'm still sore about you relegating desktop icons to a blasted extension! What's the point of an empty desktop? Why even use a DE at that point, instead of just a window manager, if you want that?

Agreed. this was my exact point above.

the more complete a desktop is for the average every user, the less need for a copious amount of un-vetted extensions.


Last edited by Lofty on 21 March 2024 at 10:06 pm UTC
raughboy188 Mar 21
Until issue with golbal theme is resolved the way i see it at least for us who know linux commands is to pop open every textual file before theme is activated and search for rm command and see how is it is configured and what it actualy affects. It seems as if rm command is configure to remove theme from system if you wanna get rid of global theme so it would be good idea to check out target of rm command because it seems it will only kick in if you uninstall theme. This is how i see isue with data loss due to wrong configuration.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register