KDE theme wipes user's files using 'rm -rf'

[LU344928]

Now this is interesting:

https://www.bleepingcomputer.com/news/l ... ers-files/

[CharlesV]

Hmm... interesting and scary if that is true / actually what happened.

[siamhie]

Hmm... interesting and scary if that is true / actually what happened.

@CharlesV The user initially posted to r/openSUSE on Reddit and another user posted the (disturbing) code.

Hacked! - Installed a global theme - it erased all my drivers!
https://www.reddit.com/r/openSUSE/comme ... ed_all_my/


user cfeck_kde posted this in response.

I quickly checked its content. It contains, among others, a set of Plasmoids, which are from Plasma 5.

The "plasmaConfSaver" plasmoid contains:

Code: Select all

> cd plasma/plasmoids/com.pajuelo.plasmaConfSaver/contents ; grep -r "rm -Rf" *
scripts/save.sh:rm -Rf "$configFolder"
ui/FullRepresentation.qml:                            if(cmd.indexOf("save.sh") != -1 || cmd.indexOf("rm -Rf") != -1) {
ui/FullRepresentation.qml:                                    executeSource.connectSource("rm -Rf " + savePath + "/" + model.modelData)

It is possible that Plasma 6 tries to execute this script without checking.

[CharlesV]

Once again I am reminded of how 'user submissions' can turn bad.

I stopped all Python work because of the high dependency of unknown code libraries, I have always been suspicious of someone else's code over the years. But it was really more due to errors, unstable or just bad programming. But the last x years has shown far more issues that are serious.

This saddens me.

[davidy]

The day ubuntu partnered with canonical was the day I said sayonara. Canonical is the problem and ubuntu the enabler. My favorite recent 'news' is the evga power supply warranty repair process wherein you return your ps sans cables, and then they return the exact same model with different pinouts for the cabling (you kept) with zero notice of the change and absolutely no difference in model# whatsoever. 12V to your HD's is full hardware failure. Lots of predators, incl lazy crappy companies, so stay vigilant and watch out for the wooden nickels. Needless to say evga wanted no part of that and referred the customer to the hd manufacturer instead. Ubuntu because of canonical is dead to me and evga because they prey on "gamers" is as well. Kinda like nvidia's bs.

[asqwerth]

KDE Store issues are separate from Canonical/Ubuntu. It's for Plasma users regardless of distro.

[Stevo]

Yes, MX KDE users will also be vulnerable.

[davidy]

Your right. Apparently with kde themes they are allowed to run any kind of script which in and of itself is what makes kde so magical and bloaty all at the same time. Sorry about the canonical rant. I was referring to some crypto wallet scammers which are being uploaded and when they are taken down the scammers just create a new acct and re-upload them. Thanks for the clarification. So you have a choice of your data wiped, your hd's controller's destroyed potentially losing all your data if not fixed, and all your crypto stolen. I think my favorite is the roku tv's which deactivate when you don't agree.
Fun fact. If you watch tubi on a roku whenever there is a commercial just keep hitting the back button, and then resume, until the movie plays again. It works

[sunrat]

If that happens, one should just restore the system backup they made before installing potentially damaging software!
Everyone makes backups, don't they?

[Mauser]

Ouch! This reminds me of Snaps. Seems like KDE is not secure if this can happen. This is one thing I find very disturbing in the Linux community. Some don't secure their repositories and or websites then always push the blame onto the end-user that they should have back ups when they are the guilty party due to their gross incompetence. When someone points out their goof-ups those people get attack when they are the one to blame. Linux is suppose to be safe and secure but theses idiots are doing a great disservice to the Linux brand. All software must be checked and vetted before it's put on the Internet and no excuses are acceptable. This is one of the many reasons why I have two backups of my files because we have idiots like these that are too lazy to check everything uploaded to their site.