MX Linux Forum

Now this is interesting:

https://www.bleepingcomputer.com/news/l ... ers-files/

Hmm... interesting and scary if that is true / actually what happened.

CharlesV wrote: Sat Mar 23, 2024 11:23 am Hmm... interesting and scary if that is true / actually what happened.

@CharlesV The user initially posted to r/openSUSE on Reddit and another user posted the (disturbing) code.

Hacked! - Installed a global theme - it erased all my drivers!
https://www.reddit.com/r/openSUSE/comme ... ed_all_my/


user cfeck_kde posted this in response.

I quickly checked its content. It contains, among others, a set of Plasmoids, which are from Plasma 5.

The "plasmaConfSaver" plasmoid contains:

Code: Select all

> cd plasma/plasmoids/com.pajuelo.plasmaConfSaver/contents ; grep -r "rm -Rf" *
scripts/save.sh:rm -Rf "$configFolder"
ui/FullRepresentation.qml:                            if(cmd.indexOf("save.sh") != -1 || cmd.indexOf("rm -Rf") != -1) {
ui/FullRepresentation.qml:                                    executeSource.connectSource("rm -Rf " + savePath + "/" + model.modelData)

It is possible that Plasma 6 tries to execute this script without checking.

Once again I am reminded of how 'user submissions' can turn bad.

I stopped all Python work because of the high dependency of unknown code libraries, I have always been suspicious of someone else's code over the years. But it was really more due to errors, unstable or just bad programming. But the last x years has shown far more issues that are serious.

This saddens me.

The day ubuntu partnered with canonical was the day I said sayonara. Canonical is the problem and ubuntu the enabler. My favorite recent 'news' is the evga power supply warranty repair process wherein you return your ps sans cables, and then they return the exact same model with different pinouts for the cabling (you kept) with zero notice of the change and absolutely no difference in model# whatsoever. 12V to your HD's is full hardware failure. Lots of predators, incl lazy crappy companies, so stay vigilant and watch out for the wooden nickels. Needless to say evga wanted no part of that and referred the customer to the hd manufacturer instead. Ubuntu because of canonical is dead to me and evga because they prey on "gamers" is as well. Kinda like nvidia's bs.

KDE Store issues are separate from Canonical/Ubuntu. It's for Plasma users regardless of distro.

Yes, MX KDE users will also be vulnerable.

Your right. Apparently with kde themes they are allowed to run any kind of script which in and of itself is what makes kde so magical and bloaty all at the same time. Sorry about the canonical rant. I was referring to some crypto wallet scammers which are being uploaded and when they are taken down the scammers just create a new acct and re-upload them. Thanks for the clarification. So you have a choice of your data wiped, your hd's controller's destroyed potentially losing all your data if not fixed, and all your crypto stolen. I think my favorite is the roku tv's which deactivate when you don't agree.
Fun fact. If you watch tubi on a roku whenever there is a commercial just keep hitting the back button, and then resume, until the movie plays again. It works

If that happens, one should just restore the system backup they made before installing potentially damaging software!
Everyone makes backups, don't they?

Ouch! This reminds me of Snaps. Seems like KDE is not secure if this can happen. This is one thing I find very disturbing in the Linux community. Some don't secure their repositories and or websites then always push the blame onto the end-user that they should have back ups when they are the guilty party due to their gross incompetence. When someone points out their goof-ups those people get attack when they are the one to blame. Linux is suppose to be safe and secure but theses idiots are doing a great disservice to the Linux brand. All software must be checked and vetted before it's put on the Internet and no excuses are acceptable. This is one of the many reasons why I have two backups of my files because we have idiots like these that are too lazy to check everything uploaded to their site.

The KDE store and "get hot new stuff" does have some warnings about it not being vetted, and that it does pose a risk, but...damn. Discover also updates stuff from the store once they are installed, along with system packages---use MX Updater if you want to be safer.

It's easy to say that KDE shouldn't have let this happen but like much of Linuxdom it's probably volunteer managed or store submission devs being run on a shoestring budget... on top of that why would they be expecting to find such a heinous exploit in a theme which are almost always provided by good-hearted Users with the best of intentions in their spare time. It shouldn't have happened but KDE isn't the bad guy here the author of the exploit is... It seems like the store got on top of it very quickly, sadly, people suck...

Stevo wrote: Mon Mar 25, 2024 11:51 am Yes, MX KDE users will also be vulnerable.

Yet another example of why I appreciate having become old, dull, and boring. Defaults are almost always just fine with me.

"Themes? We don't need no steenking themes."

sunrat wrote: Wed Mar 27, 2024 5:44 pm If that happens, one should just restore the system backup they made before installing potentially damaging software!
Everyone makes backups, don't they?

The article said every device mounted got wiped. SO if your backup or even timeshift device was mounted, it would have been wiped if they could be written to with user permissions.

So better make sure you have backups that are not normally mounted or even connected to your machine. And have more than 1, in separate backup devices, as Mauser said.

I don't use Discover to update or install KDE Store customisations. First thing I do for every MX-KDE install is to remove Discover from the notifications, and install/activate Synaptic and apt-notifier.

Once in a while I visit KDE Store and check the relevant pages [eg read the reviews, ensure any updates for are for my plasma version].

asqwerth wrote: Wed Mar 27, 2024 10:25 pm So better make sure you have backups that are not normally mounted or even connected to your machine.

In my opinion that is the pure definition of a backup.

In all other cases it is merely a copy of your data.

Many might roll their eyes when they read about the 3-2-1 backup method and its modern variant 3-2-1-1-0, but it still makes sense.

And while one can argue that an offsite backup via Cloud or remote location might be a overkill for the average home user, a physically separated backup device should be the norm.

Luckily it is so easy to accomplish with MX Linux!

Dennis-TW wrote: Wed Mar 27, 2024 11:23 pm

asqwerth wrote: Wed Mar 27, 2024 10:25 pm So better make sure you have backups that are not normally mounted or even connected to your machine.

In my opinion that is the pure definition of a backup.

In all other cases it is merely a copy of your data.

Many might roll their eyes when they read about the 3-2-1 backup method and its modern variant 3-2-1-1-0, but it still makes sense.

And while one can argue that an offsite backup via Cloud or remote location might be a overkill for the average home user, a physically separated backup device should be the norm.

Luckily it is so easy to accomplish with MX Linux!

I wouldn't trust anything on the Cloud. The Cloud is just someone else's computer that the Stasi can get to and so can ransom-ware. My backups are on two different hard-drives inside my computer case that both have full disk encryption that I only mount them when I back up to them and then immediately dismount them bought. No Stasi is going to get the information on them, no ransom ware is going to get them, no virus can touch them, no malware will mess them up, and no nothing will get them.

uncle mark wrote: Wed Mar 27, 2024 8:02 pm

Stevo wrote: Mon Mar 25, 2024 11:51 am Yes, MX KDE users will also be vulnerable.

Yet another example of why I appreciate having become old, dull, and boring. Defaults are almost always just fine with me.

"Themes? We don't need no steenking themes."

@uncle mark

You are pure "TREASURE"

fuller discussion on reddit:
https://www.reddit.com/r/kde/comments/1 ... e_out_all/

MikeR wrote: Thu Mar 28, 2024 2:32 pm fuller discussion on reddit:
https://www.reddit.com/r/kde/comments/1 ... e_out_all/

@MikeR That's a cross post from the initial post I mentioned here in post #3. viewtopic.php?p=770308#p770308

KDE is a great DE, but stuff like this always reminds me why I stick with Xfce

operadude wrote: Thu Mar 28, 2024 4:08 am

uncle mark wrote: Wed Mar 27, 2024 8:02 pm

Stevo wrote: Mon Mar 25, 2024 11:51 am Yes, MX KDE users will also be vulnerable.

Yet another example of why I appreciate having become old, dull, and boring. Defaults are almost always just fine with me.

"Themes? We don't need no steenking themes."

@uncle mark

You are pure "TREASURE"

I hear that all the time.

Why the bloody hell are themes (of all things) allowed to execute, or be composed of, arbitrary shell scripts in the first place?! Many scoffed at Microsoft for ActiveX and the Active Desktop (and rightfully so), and now we have the same mistakes being made here. At least Microsoft had some sense not to make Windows XP themes out of executables and shell scripts.

It is hard to pull the old "oh they're just human, bugs happen" when it is the result of a fundamental architectural and design problem. As the old saying goes, those who fail to learn from history are doomed to repeat it.

AVLinux wrote: Wed Mar 27, 2024 6:56 pm It's easy to say that KDE shouldn't have let this happen but like much of Linuxdom it's probably volunteer managed or store submission devs being run on a shoestring budget... on top of that why would they be expecting to find such a heinous exploit in a theme which are almost always provided by good-hearted Users with the best of intentions in their spare time. It shouldn't have happened but KDE isn't the bad guy here the author of the exploit is... It seems like the store got on top of it very quickly, sadly, people suck...

KDE is a very large organisation which receives their fair share of funding and donations. I believe they are (or at least are considering) hiring people on a professional level. It's a shame its such a minefield in terms of customisation. You get all these wonderful options, but as soon as you activate them, kaboom bug explosion terror. If your software is like this, you really need to review your methods and stop cramming in features until it is sure that they won't break things. As much as I love KDE and use it on a regular basis, I hate that they are unwilling to accept this simple fact.

Here is Brodie's thoughts on it. https://www.youtube.com/watch?v=TvXF2jEUbO4

AK-47 wrote: Fri Mar 29, 2024 2:53 am Why the bloody hell are themes (of all things) allowed to execute, or be composed of, arbitrary shell scripts in the first place?! Many scoffed at Microsoft for ActiveX and the Active Desktop (and rightfully so), and now we have the same mistakes being made here. At least Microsoft had some sense not to make Windows XP themes out of executables and shell scripts.

....

Not sure whether the actual themes for applications or plasma desktop can contain scripts, but I think the malicious software in question was the GLOBAL "theme", which is actually more like a series of instructions to enable you to set in one click the following:
1. application theme
2. theme for plasma desktop
3. colour scheme
4. icon theme
5. window decorations
6. possibly some plasmoids/widgets (not sure).

asqwerth wrote: Fri Mar 29, 2024 5:40 amNot sure whether the actual themes for applications or plasma desktop can contain scripts, but I think the malicious software in question was the GLOBAL "theme", which is actually more like a series of instructions to enable you to set in one click the following:
1. application theme
2. theme for plasma desktop
3. colour scheme
4. icon theme
5. window decorations
6. possibly some plasmoids/widgets (not sure).

It could be an intergalactic theme for all I care about. Items 1 to 5, definitely no business involving executable or shell code, even in installation or removal (these shouldn't be like deb packages).
I would expect this in plasmoids, but I don't think those are controlled by the global theme, from what I see in the KDE docs.

The really troubling bit is that KDE has not put a temporary halt on user submissions until their vetting process is in place.