Usage of Plasma 6’s Global Themes May Pose Serious Risks
First and foremost – there is no need for unnecessary panic! If diving into the settings to download and install an external global theme isn’t your first move after getting the impressive Plasma 6 desktop environment set up, you’re in the clear. Secondly, it’s important to note that the KDE team is on top of the issue. Here’s the scoop.
А Reddit user alerted (for reference here and here) about a significant issue with Plasma 6. Installing a specific external global theme triggers the execution of “rm -rf /” in the background. This command, known for its simplicity yet potential for extensive damage, wipes all data on the drive, including any additional mounted drives.
Update
Here also:
-
3rd party KDE Plasma Global Themes and Widgets can lead to data loss
Uh oh. Seems there's been an issue lately with Global Themes for KDE, which has ended up causing a total wipe of data. The issue is that KDE Global Themes can run arbitrary code, so they can really mess with your system, so you're advised not to use them.
Microsofters:
-
KDE advises extreme caution after theme wipes Linux user's files
On Wednesday, the KDE team warned Linux users to exercise "extreme caution" when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktop's appearance.
The KDE Store currently allows anyone to upload new themes and various other plugins or add-ons without any checks for malicious behavior.
However, as KDE said, it currently lacks the resources to review the code used by each global theme submitted for inclusion in its official store. If the themes are faulty or malicious, this can result in unexpected consequences.
Also:
-
KDE Themes can (and do) "RM -RF" all of your files
Download a theme to your GNU/Linux computer... lose all your data. Crazy.
More:
-
KDE Issues Warning After Theme Wipes GNU/Linux Users
The KDE team has warned GNU/Linux users about the potential risks of installing global themes. They have emphasized the need for vigilance and careful consideration when downloading and using themes, even from official sources like the KDE Store. Global themes and widgets created by third-party developers can run arbitrary code, resulting in unexpected consequences, including deleting personal data. At least one user had had their files wiped after installing a faulty global Plasma theme.
Late coverage:
-
KDE Plasma theming security nightmare: scripting feature can run root commands including the worst Linux meme
KDE Plasma's Global Themes can run scripts in the background, which can run commands as a root user, including the infamous “sudo rm -rf" which wipes the user's root partition, causing significant data loss. KDE is aware of the issue, but no fix has been issued.
Reposting the Microsofters:
-
Cyber Security Headlines: New Kimsuky technique, KDE Linux warning, Atlassian critical flaws
KDE, the international team that develops and distributes applications for Linux and other platforms is warning users to exercise extreme caution when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktop’s appearance. According to BleepingComputer, the KDE Store currently allows anyone to upload new themes and various other plugins or add-ons without any checks for malicious behavior. KDE says this is because it lacks the resources to review the code used by each global theme submitted for inclusion in its official store.
Hackaday:
-
User Beware: The Fine Line Between Content And Code
So what happened? There remains some debate about exactly what caused things to go sideways, but one thing seems clear: the theme wasn’t designed to be malicious. While admittedly not very highly rated on the KDE Store, it still had nearly 3,800 downloads when [JeansenVaars] installed it, and we would have heard by now if all those folks had their home directories wiped out. A few Reddit users poked around in the source for “Gray Layout”, and found some potentially troubling lines, such as this one:
rm -Rf "$configFolder"
This would certainly trigger a Bad Day depending on the value of $configFolder, but despite looking scary, others pointed out that this line actually comes from an upstream project and that there’s no obvious way this command could be directed towards the entire filesystem given the way the string was pieced together elsewhere in the code. But it was also noted that the theme in question was designed for an older version of KDE Plasma, and that there could be some weirdness going on there. Ultimately, it looks like [JeansenVaars] was just unlucky enough to stumble into an edge case somewhere.