• @rtxnM
    link
    English
    113
    edit-2
    8 months ago

    For those not in the know: aussie man explains. A KDE Plasma 6 global theme deleted a user’s files. Global themes may contain arbitrary Javascript code, and a bug (using a library written for Plasma 5) caused it to essentially run rm -rf /*, Steam-style. KDE have since removed the theme and are considering next steps to warn the user that the “official” KDE store contains user-submitted content, and that some addons may contain potentially dangerous code.

    • @[email protected]OP
      link
      fedilink
      38
      edit-2
      8 months ago

      I still remember that video I watched where a line in the Steam code back in the day was titled SCARY!!! and it was rm -rf $STEAMROOT. This nuked a guy’s computer because short answer $STEAMROOT was actually / root, long answer here’s the video. This nuked both his PC and his external drive that is some pretty bad code but this JavaScript code is up there

      • @rtxnM
        link
        English
        418 months ago

        That’s the issue I linked. The problem was that at some point a script executed rm -rf "$STEAMROOT/*", but did not make sure that $STEAMROOT was set. If for some reason it was empty, the path became /* after substitution.

        • @[email protected]OP
          link
          fedilink
          118 months ago

          So would it be funny if I made a meme like this except it was with the trojan horse meme template? I kinda want to

      • @[email protected]B
        link
        fedilink
        English
        58 months ago

        Here is an alternative Piped link(s):

        video

        Piped is a privacy-respecting open-source alternative frontend to YouTube.

        I’m open-source; check me out at GitHub.

      • NekuSoul
        link
        fedilink
        48 months ago

        This particular issue was caused by a breaking change in Plasma 6 and bad handling in a specific global theme.

        The general security concerns that were being brought to light however apply to all versions.

      • @rtxnM
        link
        English
        48 months ago

        It should only affect Plasma 6 because of some breaking change to how a Javascript function returns a path.

    • @[email protected]
      link
      fedilink
      58 months ago

      It’s only 3 layers deep, shame on you and your laziness

      I will await the 100 recursive layers SVG version later today, do not disappoint me (please).

  • Possibly linux
    link
    fedilink
    English
    368 months ago

    Gottem

    Seriously though we need to work on improving security. A theme probably shouldn’t be running code and if it is it needs to be sandboxed with its only access being an API

    • @agent_flounder
      link
      English
      128 months ago

      It’s kind of horrifying nobody thought that through. What else did they fail to think about?

      • @[email protected]
        link
        fedilink
        28 months ago

        I know I’m late with this but it’s not just a theme. It’s a global theme. Those need to run code, so they really can’t be sandboxed the same way a regular theme can be

    • @merthyr1831
      link
      38 months ago

      They shouldnt. At least use some kind of super locked down API if you’re gonna let people use javascript of all things in your theming system god damn

    • @[email protected]
      link
      fedilink
      English
      18 months ago

      Setting themes do mant things and they are not like adding a colorscheme or so. Like there are tweaks that comes wuth themes which needs shell access to heavily modify the desktop

    • @[email protected]
      link
      fedilink
      18 months ago

      People in one of the other threads were speculating that it is widgets, or one theme that is able to do multiple configurations. Really should be containerized or something, tho.

    • lemmyvore
      link
      fedilink
      English
      18 months ago

      Yeah, shouldn’t it say something like “ha ha get fucked”?

  • @[email protected]
    link
    fedilink
    148 months ago

    is this the reason Bleeping Computer made that article about malicious KDE themes? i saw it in my feed but didn’t think much of it

  • @foobaz
    link
    78 months ago

    Fucking CJS. Please use ESM to delete all my files 🙏

  • Norgur
    link
    fedilink
    -408 months ago

    Make this go away. Malicious “jokes” like this one do not deserve any clout.

    • Rustmilian
      link
      English
      668 months ago

      rm -f sense_of_humor.bin

        • @Andonno
          link
          438 months ago

          Changelog: Hi, guys. So you probably noticed that I pulled the humour repo. Short answer is it was conflicting with everything, and I don’t have the time or energy to fix it. My advice is to remove humour from your dependancies and purge it from the system.

          Sorry, I know how important humour is to some of you. If anyone wants to take up maintenance of the repo, I can mail you the terabytes of error logs you need to sort through.

    • @[email protected]
      link
      fedilink
      308 months ago

      On the contrary, in my opinion if they are clearly labelled as a joke, they are a great way for people who don’t understand them to ask why and, in the process, being a little more informed on what not to do and what it’s dangerous.

      Especially because there’s really no risk of emulation in this case.

    • @cm0002
      link
      98 months ago

      I wasn’t originally going to up vote this post because of laziness, but your comment inspired me to lmao