Linux Furs

492 readers

1 users here now

A place for all Furries who use (or are interested in) Linux-based OS's to come, hang out, ask questions, and enjoy!

founded 1 year ago

MODERATORS

[email protected]

FYI: Malicious/Badly Written KDE theme can wipe out all your data (www.reddit.com)

submitted 8 months ago by [email protected] to c/[email protected]

7 comments fedilink hide all child comments

cross-posted from: https://lemmy.ml/post/13397700

Malicious KDE theme can wipe out all your data

Or is it just buggy?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 5 points 8 months ago

FYI for whoever is reading this: it wasn't just a theme, but a Global Theme: it can include a Plasma Style, a color scheme, an icon theme, a panel layout template, an SDDM theme, wallpapers and widgets. Widgets are capable of running arbitrary code, just like GNOME extensions.

Here's the response article from one of our main developers: http://blog.davidedmundson.co.uk/blog/kde-store-content/

In the short term we need to communicate clearly what security expectations Plasma users should have for extensions they download into their desktops.

We need to improve the balance of accessing third party content that allows creators to share and have users to get this content easily, with enough speed-bumps and checks that everyone knows what risks are involved.

Longer term we need to progress on two avenues. We need to make sure we separate the "safe" content, where it is just metadata and content, from the "unsafe" content with scriptable content.

Then we can look at providing curation and auditing as part of the store process in combination with slowly improving sandbox support.