187

Malicious KDE theme can wipe out all your data(www.reddit.com)

posted
by
Avatar
wisha@lemmy.ml
in
Avatar
linux@lemmy.ml
51 comments
hidereport

cross-posted from: https://lemmy.ml/post/13397700

Malicious KDE theme can wipe out all your data

Or is it just buggy?

Sort:
HotTopControversialNewOld
Avatar
katy ✨@lemmy.blahaj.zone
8 points

i can do that too with --no-preserve-root but you don’t see me bragging.

permalink
report
reply
Avatar
fruitycoder@sh.itjust.works
11 points

We really need better sandboxing for the desktop. I see why scripting can useful for themes, but why the heck would they have so much fs access?

permalink
report
reply
Avatar
jaxil6@futurology.today
-36 points

I thought wayland was supposed to improve security. Were the past 18 years a lie?

permalink
report
reply
Avatar
ProgrammingSocks@pawb.social
8 points

Bro does not know what a display server does

permalink
report
parent
reply
Avatar
jaxil6@futurology.today
-5 points

They should be more specific. This is just false advertising.

permalink
report
parent
reply
Avatar
ProgrammingSocks@pawb.social
0 points
*

Wayland isn’t a product. You’re gonna have to get your mind out of capitalism to understand the free software community.

permalink
report
parent
reply
Show more comments
Avatar
baseless_discourse@mander.xyz
5 points
*

Um, this is like saying full disk encryption is false advertising, because it doesn’t prevent people blowing up your apartment complex. LOL.

Sorry, dude, I cannot resist. No hate to you, we all need to start from somewhere.

permalink
report
parent
reply
Avatar
ReversalHatchery@beehaw.org
1 point

It does, when the bad actor is a program you run, and other open windows contain sensitive content.

Here the bad actor is code being loaded as an extension to the compositor. A bit like a kernel module, which can bypass file access permissions if it wants.

permalink
report
parent
reply
Avatar
machinya [it/its, fae/faer]@hexbear.net
2 points

wayland was not about avoiding applications accessing resources or running scripts (that is why sandboxing is for) but to avoid programs to have access to the rest of the graphical session (things like input devices and other graphical windows and their data)

permalink
report
parent
reply
Avatar
Klara@lemmy.blahaj.zone
5 points

This is different from the Wayland security model, as Wayland restricts the ability for clients to modify and read from other clients arbitrarily. This is an extension to a Wayland compositor, and as all extensions do, it contains code which runs on your system. Any code, unless sandboxed, can access your filesystem no matter if it’s run under Wayland, X11, or no windowing system at all for that matter.

permalink
report
parent
reply
Avatar
Zamundaaa@discuss.tchncs.de
8 points
*

It is not related to Wayland or the compositor in any way. This is a plasmashell extension.

Similar caveats do apply to KWin scripts and effects though

permalink
report
parent
reply
Avatar
TheGrandNagus@lemmy.world
15 points

This is such a dumb comment. Jesus.

“I thought passwords were meant to improve security! So how come I got a virus???”

permalink
report
parent
reply
Avatar
McMacker4@lemmy.world
27 points

This has literally nothing to do with wayland.

permalink
report
parent
reply
Avatar
BZzzz@jlai.lu
24 points

*Malicious script inside everywhere can wipe out all your data

permalink
report
reply
Avatar
baseless_discourse@mander.xyz
5 points
*

except sandboxed, a theme should not have unrestricted user file system access.

permalink
report
parent
reply
Avatar
node815@lemmy.world
44 points

For those that don’t want to go back to the Dark side (Reddit), the post referenced a theme (Grey Layout global theme) which got KDE Dev’s involved who in reaction removed the listing from the store.

In short - the theme ran code to run a rm -rf on the user’s drive which wiped everything during install. Aside from backing up your data religiously, be sure to inspect the code instead of blindly installing for now. KDE Dev’s said they will need to do better so I expect some changes are afoot to provide better security.

permalink
report
reply
Avatar
governorkeagan@lemdro.id
9 points
permalink
report
parent
reply
Avatar
Daniel Quinn@lemmy.ca
3 points

Ooh! Thanks for this! I had no idea it existed.

permalink
report
parent
reply
Avatar
MonkderZweite@feddit.ch
22 points
*

Why can a theme execute code??

edit: it was the package that did it?

permalink
report
parent
reply

Linux

!linux@lemmy.ml

Create post

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

  • Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
  • No misinformation
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

Community stats

  • 9.4K

    Monthly active users

  • 6.1K

    Posts

  • 170K

    Comments

Community moderators