this post was submitted on 21 Mar 2024
521 points (97.3% liked)

linuxmemes

21254 readers
1526 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.

  • Please report posts and comments that break these rules!

    founded 1 year ago
    MODERATORS
     
    top 35 comments
    sorted by: hot top controversial new old
    [–] rtxn@lemmy.world 113 points 7 months ago* (last edited 7 months ago) (3 children)

    For those not in the know: aussie man explains. A KDE Plasma 6 global theme deleted a user's files. Global themes may contain arbitrary Javascript code, and a bug (using a library written for Plasma 5) caused it to essentially run rm -rf /*, Steam-style. KDE have since removed the theme and are considering next steps to warn the user that the "official" KDE store contains user-submitted content, and that some addons may contain potentially dangerous code.

    [–] KuroeNekoDemon@sh.itjust.works 38 points 7 months ago* (last edited 7 months ago) (2 children)

    I still remember that video I watched where a line in the Steam code back in the day was titled SCARY!!!!! and it was rm -rf $STEAMROOT. This nuked a guy's computer because short answer $STEAMROOT was actually / root, long answer here's the video. This nuked both his PC and his external drive that is some pretty bad code but this JavaScript code is up there

    [–] rtxn@lemmy.world 41 points 7 months ago (1 children)

    That's the issue I linked. The problem was that at some point a script executed rm -rf "$STEAMROOT/*", but did not make sure that $STEAMROOT was set. If for some reason it was empty, the path became /* after substitution.

    [–] KuroeNekoDemon@sh.itjust.works 11 points 7 months ago

    So would it be funny if I made a meme like this except it was with the trojan horse meme template? I kinda want to

    [–] PipedLinkBot@feddit.rocks 5 points 7 months ago

    Here is an alternative Piped link(s):

    video

    Piped is a privacy-respecting open-source alternative frontend to YouTube.

    I'm open-source; check me out at GitHub.

    [–] PipedLinkBot@feddit.rocks 4 points 7 months ago

    Here is an alternative Piped link(s):

    aussie man explains

    Piped is a privacy-respecting open-source alternative frontend to YouTube.

    I'm open-source; check me out at GitHub.

    [–] PlexSheep@feddit.de 2 points 7 months ago (2 children)

    Is this affecting both plasma 5&6 then?

    [–] nekusoul@lemmy.nekusoul.de 4 points 7 months ago

    This particular issue was caused by a breaking change in Plasma 6 and bad handling in a specific global theme.

    The general security concerns that were being brought to light however apply to all versions.

    [–] rtxn@lemmy.world 4 points 7 months ago

    It should only affect Plasma 6 because of some breaking change to how a Javascript function returns a path.

    [–] PlexSheep@feddit.de 54 points 7 months ago (1 children)
    [–] yetAnotherUser@feddit.de 5 points 7 months ago (1 children)

    It's only 3 layers deep, shame on you and your laziness

    I will await the 100 recursive layers SVG version later today, do not disappoint me (please).

    [–] PlexSheep@feddit.de 2 points 7 months ago

    I'm afraid I didn't make it and just stole it

    [–] possiblylinux127@lemmy.zip 36 points 7 months ago (1 children)

    Gottem

    Seriously though we need to work on improving security. A theme probably shouldn't be running code and if it is it needs to be sandboxed with its only access being an API

    [–] agent_flounder@lemmy.world 12 points 7 months ago (1 children)

    It's kind of horrifying nobody thought that through. What else did they fail to think about?

    [–] Kusimulkku@lemm.ee 2 points 7 months ago

    I know I'm late with this but it's not just a theme. It's a global theme. Those need to run code, so they really can't be sandboxed the same way a regular theme can be

    [–] elxeno@lemm.ee 31 points 7 months ago (5 children)

    Why do themes need to run code?

    [–] merthyr1831@lemmy.world 3 points 7 months ago (1 children)

    They shouldnt. At least use some kind of super locked down API if you're gonna let people use javascript of all things in your theming system god damn

    [–] possiblylinux127@lemmy.zip 6 points 7 months ago (1 children)

    Actually I'm pretty sure C would be much worse

    Well, you can literally create a C program in bash using themes, compile and execute it.

    [–] palordrolap@kbin.social 2 points 7 months ago

    Real "What does God need with a starship?" energy.

    [–] jkrtn@lemmy.ml 1 points 7 months ago

    People in one of the other threads were speculating that it is widgets, or one theme that is able to do multiple configurations. Really should be containerized or something, tho.

    [–] mexicancartel@lemmy.dbzer0.com 1 points 7 months ago

    Setting themes do mant things and they are not like adding a colorscheme or so. Like there are tweaks that comes wuth themes which needs shell access to heavily modify the desktop

    So they can include cool features like auto debloating /home/

    [–] therealjcdenton@lemmy.zip 21 points 7 months ago (1 children)

    Theme applied successfully!

    [–] lemmyvore@feddit.nl 1 points 7 months ago

    Yeah, shouldn't it say something like "ha ha get fucked"?

    [–] EndHD@lemm.ee 14 points 7 months ago

    is this the reason Bleeping Computer made that article about malicious KDE themes? i saw it in my feed but didn't think much of it

    [–] foobaz@lemmy.world 7 points 7 months ago

    Fucking CJS. Please use ESM to delete all my files 🙏