- cross-posted to:
- linux@lemmy.ml
- kde@lemmy.kde.social
- cross-posted to:
- linux@lemmy.ml
- kde@lemmy.kde.social
cross-posted from: https://lemmy.ml/post/13397700
Malicious KDE theme can wipe out all your data
Or is it just buggy?
FYI for whoever is reading this: it wasn’t just a theme, but a Global Theme: it can include a Plasma Style, a color scheme, an icon theme, a panel layout template, an SDDM theme, wallpapers and widgets. Widgets are capable of running arbitrary code, just like GNOME extensions.
Here’s the response article from one of our main developers: http://blog.davidedmundson.co.uk/blog/kde-store-content/
In the short term we need to communicate clearly what security expectations Plasma users should have for extensions they download into their desktops.
We need to improve the balance of accessing third party content that allows creators to share and have users to get this content easily, with enough speed-bumps and checks that everyone knows what risks are involved.
Longer term we need to progress on two avenues. We need to make sure we separate the “safe” content, where it is just metadata and content, from the “unsafe” content with scriptable content.
Then we can look at providing curation and auditing as part of the store process in combination with slowly improving sandbox support.
I was installing themes and I did see that one, but I didn’t like it. I dodged a bullet that day and I didn’t know it.
yup yup yup. didnt steam also have some “fun” rm -rf bug a few years ago? proper backups and sandboxing go a long way
Yeah, I remember that. Was it in the client or in an installed game?
And yeah, backups are the most important from the users end to do. Sandboxing and proper permissions is something KDE needs to focus on.
Yeah, I remember that. Was it in the client or in an installed game?
And yeah, backups are the most important from the users end to do. Sandboxing and proper permissions is something KDE needs to focus on.
Oofta. Theirs no reason a theme should be allowed to do this.
Or at least not alert the user that it has those powers. This would suggest KDE needs some ranked permissions for their themes and add-ons to prevent this from happening willy-nilly.