A KDE theme just wiped out a user's data

Desktop Environments Plasma
1

While this doesn’t appear to have been deliberate, it’s a sobering reminder of how simple it would be to inject some malicious code in themes or widgets.

The theme was called Grey Layout, and it has already been removed from the KDE store.

I just installed this Global Theme, innocently (Global Themes → Add New…)

It DELETES all your USER mounted drives data. It executes rm -rf on your behalf, deletes all personal data immediately. No questions asked.

A reply from a top KDE dev:

This particular theme has been removed. Too dangerous to live. We’re discussing a path forward for making sure this kind of thing can’t happen.

Most people would consider adding a theme (or widget) to be a perfectly safe, simple addition to their desktop. Be careful about blindly trusting things.

https://www.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/

21 Likes
2

honka_animated-128px-9

1 Like
3

Sounds bad, what are the ways to guard against such stuff?
From what I understand rm -rf was executed before asking for root.

1 Like
4

At the moment, you’d have to download the package, unpack it, and sift through the code hoping to spot anything.

They’re looking at ways to prevent this from happening in the future.

4 Likes
5

Important reminder. Plasma-store items have access to the CLI. Use common sense™ and treat it like the AUR. Check the description, reviews, ratings, age, … Source code should be provided but isn’t reviewed, so if possible take a quick look yourself. No source code, no installation!

3 Likes
6

How frequently rm -rf is used in the system specifically?
Is it configurable somewhere to make rm with specifically -rf to ask for root?
While it is weird to see such issue in the themes, I don’t think that it cannot pop up somewhere else.

7

KDE at it’s best…quality control and common sense :joy:
Was it obvious before that any user-upload / update system is vulnerable to this…?

Well, it was :clown_face: :earth_africa:

1 Like
8

Someone grabbed an archive of the theme and found this:

It contains, among others, a set of Plasmoids, which are from Plasma 5.

The “plasmaConfSaver” plasmoid contains:

> cd plasma/plasmoids/com.pajuelo.plasmaConfSaver/contents ; grep -r "rm -Rf" *
scripts/save.sh:rm -Rf "$configFolder"
ui/FullRepresentation.qml:                            if(cmd.indexOf("save.sh") != -1 || cmd.indexOf("rm -Rf") != -1) {
ui/FullRepresentation.qml:                                    executeSource.connectSource("rm -Rf " + savePath + "/" + model.modelData)

It is possible that Plasma 6 tries to execute this script without checking.

https://www.reddit.com/r/openSUSE/comments/1biunsl/comment/kvn0139/

EDIT: Some more conjecture/elaboration on how this happened; I haven’t read through it (it’s 4 AM here and I’m going to bed now) but here’s a link"

https://www.reddit.com/r/openSUSE/comments/1biunsl/comment/kvnf4f5/

2 Likes
9

Companies holding your hand with anti-virus software and app-stores? - Mu freedom! :angry:

People giving you power to run everything you want? - Mu security! :angry:

1 Like
10

It doen’t need root to remove your personal files as its being run with your privileges.

as pointed out here :point_up_2:

1 Like
11

People who completely and deliberately misinterpret what i’ve said - Muh :clown_face: :angry:

1 Like
12

Not sure if this is the most effective way but you could always alias rm to rm -i for it to require user intervention before the command is actually executed.

rm --help
-i prompt before every removal

Edit: Don’t know how to configure it in this way when you use sudo. Perhaps other more advanced users may be able to provide some insight.

4 Likes
13

Thanks for this. I have no additional KDE theme installed but when reading something like this I am asking myself if this could also have happened to me.

Fortunately, I am very reluctant to install anything which is not in the repos. If in AUR I usually check where this package comes from aso.

But, if I would like to install a theme which was uploaded by some user I would at least check how often this theme has been used already.

This also could be insufficient, of course. So what is the best way here? Just to not install any such theme (which is my way)?

1 Like
14

Of course, this can delete your data and non-root backups on the mounted disk without root permission.
This would not affect your data if it in its btrfs snapshot in the same system. :wink:

1 Like
15

Now you will see all the KDE Plasma users switching to Gnome because of this :wink:

7 Likes
16

It does not matter, an installed Gnome widget with malware can delete your data without root permission.

You need a good and secure backup solution.

2 Likes
17

I know I was just making a joke :laughing: I don’t keep any important data in my desktop’s home directory but on my nas and I make a backup of that.

1 Like
18

This is similar to what happened

9 Likes
19

The original thread is from Reddit, need I say more. :man_facepalming: :person_facepalming: :woman_facepalming:

2 Likes
20

Oof. One more reason I’ll jump ship to Cosmic once that comes out.