KDE theme wipes user's files using 'rm -rf'

[uncle mark]

Yes, MX KDE users will also be vulnerable.

Yet another example of why I appreciate having become old, dull, and boring. Defaults are almost always just fine with me.

"Themes? We don't need no steenking themes."

@uncle mark

You are pure "TREASURE"

I hear that all the time.

[AK-47]

Why the bloody hell are themes (of all things) allowed to execute, or be composed of, arbitrary shell scripts in the first place?! Many scoffed at Microsoft for ActiveX and the Active Desktop (and rightfully so), and now we have the same mistakes being made here. At least Microsoft had some sense not to make Windows XP themes out of executables and shell scripts.

It is hard to pull the old "oh they're just human, bugs happen" when it is the result of a fundamental architectural and design problem. As the old saying goes, those who fail to learn from history are doomed to repeat it.

It's easy to say that KDE shouldn't have let this happen but like much of Linuxdom it's probably volunteer managed or store submission devs being run on a shoestring budget... on top of that why would they be expecting to find such a heinous exploit in a theme which are almost always provided by good-hearted Users with the best of intentions in their spare time. It shouldn't have happened but KDE isn't the bad guy here the author of the exploit is... It seems like the store got on top of it very quickly, sadly, people suck...

KDE is a very large organisation which receives their fair share of funding and donations. I believe they are (or at least are considering) hiring people on a professional level. It's a shame its such a minefield in terms of customisation. You get all these wonderful options, but as soon as you activate them, kaboom bug explosion terror. If your software is like this, you really need to review your methods and stop cramming in features until it is sure that they won't break things. As much as I love KDE and use it on a regular basis, I hate that they are unwilling to accept this simple fact.

[Mauser]

Here is Brodie's thoughts on it. https://www.youtube.com/watch?v=TvXF2jEUbO4

[asqwerth]

Why the bloody hell are themes (of all things) allowed to execute, or be composed of, arbitrary shell scripts in the first place?! Many scoffed at Microsoft for ActiveX and the Active Desktop (and rightfully so), and now we have the same mistakes being made here. At least Microsoft had some sense not to make Windows XP themes out of executables and shell scripts.

....

Not sure whether the actual themes for applications or plasma desktop can contain scripts, but I think the malicious software in question was the GLOBAL "theme", which is actually more like a series of instructions to enable you to set in one click the following:
1. application theme
2. theme for plasma desktop
3. colour scheme
4. icon theme
5. window decorations
6. possibly some plasmoids/widgets (not sure).

[AK-47]

Not sure whether the actual themes for applications or plasma desktop can contain scripts, but I think the malicious software in question was the GLOBAL "theme", which is actually more like a series of instructions to enable you to set in one click the following:
1. application theme
2. theme for plasma desktop
3. colour scheme
4. icon theme
5. window decorations
6. possibly some plasmoids/widgets (not sure).

It could be an intergalactic theme for all I care about. Items 1 to 5, definitely no business involving executable or shell code, even in installation or removal (these shouldn't be like deb packages).
I would expect this in plasmoids, but I don't think those are controlled by the global theme, from what I see in the KDE docs.

[j2mcgreg]

The really troubling bit is that KDE has not put a temporary halt on user submissions until their vetting process is in place.