Confused on Steam Play and Proton? Be sure to check out our guide.
We do often include affiliate links to earn us some pennies. See more here.

Uh oh. Seems there's been an issue lately with Global Themes for KDE, which has ended up causing a total wipe of data. The issue is that KDE Global Themes can run arbitrary code, so they can really mess with your system, so you're advised not to use them.

Writing on Mastodon the official KDE account put out a warning across multiple posts copied below:

WARNING: Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code. You are encouraged to exercise extreme caution when using these products.

A user has had a bad experience installing a global theme on Plasma and lost personal data.

https://www.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/

Global themes change the look of Plasma, but also the behavior. To do this they run code, and this code can be faulty, as in the case mentioned above. The same goes for widgets and plasmoids.

Continuing…

We are calling on the community to help us locate and quarantine defective software by using the "Report" buttons available on each item in the KDE Store.

https://store.kde.org

Please see the attached image to locate them.

And more…

Meanwhile, KDE is taking measures to properly warn users before each download and we are also putting in place ways of auditing and curating what is uploaded to the KDE store.

https://blog.davidedmundson.co.uk/blog/kde-store-content/

Nevertheless, this will take time and resources. We recommend all users to be careful when installing and running software not provided directly by KDE or your distros.

And remember to report any faulty products you find!

As written up by David Edmundson in the blog link above, this specific case was not intentional but as a result of "a mistake in some shell parsing". Edmundson suggests that if you have used the KDE addon store give it a look over.

Quite a problem, that's going to need some proper long-term solutions to prevent this happening again.

This certainly isn't the first time we've seen issues with scripts nuking a Linux system. Like how a Steam bug removed everything for a user back in 2015. Linux distros by default all really need more protections in place on the rm command.

Article taken from GamingOnLinux.com.
14 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
28 comments
Page: «2/2
  Go to:

Pengling Mar 21
Quoting: redneckdrowHere's looking at you, GNOME devs, I'm still sore about you relegating desktop icons to a blasted extension! What's the point of an empty desktop?
My computing background is part-Mac (10.3 was where I learned my *nix basics), so I really like an empty desktop. But Xfce lets me have that with a simple toggle - it should never be missing from the desktop-environment entirely, because I know that weirdies like me are a tiny minority!
Lofty Mar 21
Quoting: Pengling
Quoting: redneckdrowHere's looking at you, GNOME devs, I'm still sore about you relegating desktop icons to a blasted extension! What's the point of an empty desktop?
My computing background is part-Mac (10.3 was where I learned my *nix basics), so I really like an empty desktop. But Xfce lets me have that with a simple toggle - it should never be missing from the desktop-environment entirely, because I know that weirdies like me are a tiny minority!

well my desktop is mostly empty. but sometimes just before bed ( usually waay too late ) i remember something and place a text file on the desktop for the next day.

could i add it to some note taking app ? Sure
could i add it to the calendar ? Sure

But .. can i be bothered, and are the above as immediately visible as a file splat right in front of me saying " Remember to do this thing 11!!1 today " (that took 2 seconds to make & 2 seconds to delete)

(same applies if i install a game and want a reminder what i did with a desktop icon temporarily)

desktop notes, icons or even widgets are not really needed i guess.. although it is nice to see my Ryzen stretching it's legs with a Core usage widget when compiling some shaders for an emulator like RPCS3 in real time.. or sometimes realizing a single core is locked at 100% on the flatpak that pretended to quit but actually didn't .....

yea icons and widgets can be real useful at times.


Last edited by Lofty on 21 March 2024 at 10:53 pm UTC
ShabbyX Mar 22
Quoting: SamsaiIt might be possible to sandbox these things, but that will inevitably lead to these systems becoming less flexible and that will result in complaints about KDE and GNOME restricting user freedom or whatever. Maybe that'll still be worth it for themes but for widgets that'll get pretty tricky.

That's _exactly_ what they should be doing. Most people can live inside a browser (sandbox) for the entire time they use a computer, there's little reason to believe a sandbox would make some things impossible for a widget.
Shmerl Mar 22
Sounds like they need to sandbox / sanitize that somehow or better audit and sanitize. That's a pretty major security hole.

Such as simply restrict access for that running code to only very specific areas that are relevant to it. So it won't be able to go on rampage on your data.


Last edited by Shmerl on 22 March 2024 at 3:41 am UTC
const Mar 22
Quoting: pbThat reminds of that one time when I wrote a little script for myself to rename photos based on exif data, and a friend wanted me to share it, so I did, and he used it in a slightly different way and lost a bunch of photos. Sharing is caring, but trust no one.

Haha, I made such an script recently and luckily had a backup :D
Eike Mar 22
View PC info
  • Supporter Plus
Quoting: Pengling
Quoting: redneckdrowHere's looking at you, GNOME devs, I'm still sore about you relegating desktop icons to a blasted extension! What's the point of an empty desktop?
My computing background is part-Mac (10.3 was where I learned my *nix basics), so I really like an empty desktop. But Xfce lets me have that with a simple toggle - it should never be missing from the desktop-environment entirely, because I know that weirdies like me are a tiny minority!

I do like the desktop metaphor. Having a computer desktop that's not able to hold some files is like having a table desktop that's not able to hold my pencil and some papers. (My humble, of course.)

Then of course, both the computer and the table desktop tend to hold more than some things while time goes by... And in my observation, people having a mess on the computer desktop are the same that have a mess on their real one. :D


Last edited by Eike on 22 March 2024 at 1:21 pm UTC
const Mar 22
Quoting: Eike
Quoting: Pengling
Quoting: redneckdrowHere's looking at you, GNOME devs, I'm still sore about you relegating desktop icons to a blasted extension! What's the point of an empty desktop?
My computing background is part-Mac (10.3 was where I learned my *nix basics), so I really like an empty desktop. But Xfce lets me have that with a simple toggle - it should never be missing from the desktop-environment entirely, because I know that weirdies like me are a tiny minority!

I do like the desktop metaphor. Having a computer desktop that's not able to hold some files is like having a table desktop that's not able to hold my pencil and some papers. (My humble, of course.)

Then of course, both the computer and the table desktop tend to hold more than some things while time goes by... And in my observation, people having a mess on the computer desktop are the same that have a mess on their real one. :D
I currently have a small mess on my real desktop, but my virtual one is slick and clean
RedWyvern Mar 24
I'll crost-post the comment I left on Brodie Robertson's video here, given the relevancy and greater persistence of a forum like this:
QuoteWhile the name "global theme" is a major part of the problem, the way it can also completely overwrite the desktop layout if this checkmark is set makes obvious that a global theme does a lot more than just change some CSS and colours.
Perhaps another checkmark with "allow executing code" can be added to this popup before enabling the theme, blocking the added plasmoids and arbitrary code if not enabled.
Along with a rebrand, like how Minecraft renamed it's Texture Packs to Resource Packs as they added model and sound support, to reflect their actual abilities.

This has made me aware to that I should be careful with them, having stuck to my distro's included global theme and using the separate Style configurations to tweak/rice it to my liking.
Which has let me achieve what I want fully in Plasma 5, though currently changing these settings have been broken for me in Plasma 6, so I've been sticking to my mostly functional but lightly borked old Plasma 5 themes.

Plasmoids executing arbitrary code was obvious to me, especially with how Windows supposedly removed them over concerns over malicious RCE using them.
I am okay with them executing arbitrary code as this is needed for their level of functionality, but do limit my use of extensions to a minimal set of ones I trust, similarly to how I treat my browser.
Of course this is not how everyone treats their software, that said, KDE Plasma is designed expecting users to tweak it more, whereas GNOME's over-reliance on extensions for basic features makes it as if not more concerning.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register