KDE advises extreme caution after theme wipes Linux user's files

MrGuvernment

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
21,823
KDE advises extreme caution after theme wipes Linux user's files
https://www.bleepingcomputer.com/ne...-caution-after-theme-wipes-linux-users-files/

On Wednesday, the KDE team warned Linux users to exercise "extreme caution" when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktop's appearance.

The KDE Store currently allows anyone to upload new themes and various other plugins or add-ons without any checks for malicious behavior.

However, as KDE said, it currently lacks the resources to review the code used by each global theme submitted for inclusion in its official store. If the themes are faulty or malicious, this can result in unexpected consequences.

"Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code. You are encouraged to exercise extreme caution when using these products," KDE cautioned.

"Global themes do not only change the look of Plasma, but also the behavior. To do this they run code, and this code can be faulty, as in the case mentioned above. The same goes for widgets and plasmoids."

Code execution is needed because global themes are designed to change everything on a Plasma desktop, from icons to windows decorations, lock screens, splash screens, wallpapers, color schemes, and so on, using executable bash scripts.
Click to expand...

So basically, keep it stock.....
 
MrGuvernment said:
KDE advises extreme caution after theme wipes Linux user's files
https://www.bleepingcomputer.com/ne...-caution-after-theme-wipes-linux-users-files/



So basically, keep it stock.....
Click to expand...

Yikes. I haven't used KDE since like 2007 when I switched from Gentoo to Ubuntu and it used Gnome 2.

I wound up liking the Gnome2 experience so much that when Ubuntu tried to push the Unity desktop on users, I just stopped using Ubuntu, and Switched to Mint, which still had Gnome 2, and then briefly - after Gnome 2 was deprecated - ran Gnome 3 with MGSE for - I think - one release.

After that Mint offered two native choices. Mate, a fork of the old Gnome 2 code, or Cinnamon, a new development work-a-like intended to be "Gnome 2 but with more modern code".

Mate felt a little dated, so I chose Cinnamon despite its feature list being limited at first. Over the years Cinnamon has become fully featured. I have been happy using it ever since 2012.

This seems like a major "dropping the ball" moment for KDE. I know they like to think of themselves as "serious developers" and don't like to waste their time on things like themes, and prefer users to just beware on their own, but still. This just shouldn't happen.

I don't think I'd want to run KDE these days, and news like this gives me yet another reason.


MrGuvernment said:
So basically, keep it stock.....
Click to expand...

Which is amusing, because the customization of KDE is why many people choose KDE in the first place.


Maybe instead "just DIY your themes rather than blindly trusting strangers on the internet to execute arbitrary code on your machine"
 
Def. I think there is too much trust people have on the internet, assuming because something is on a specific site (App Store / Android store et cetera( it must of been 100% vetted and is clean. Long gone are those days when, for the most part, you could download themes and add-on packs and never hear about malicious intent. but now, every vector into a system has to be considered as being compromised and thus, where one sources their stuff from has to be even more considered.

Back in the day of downloading game packs and mods, thought never crossed your mind that it could infect your computer....

I am also just too lazy these days, with how often I redo my system "just cause" redoing themes and other things just becomes more work for me, so stock it stays!
 
Zarathustra[H] said:
I don't think I'd want to run KDE these days, and news like this gives me yet another reason.
Click to expand...

KDE Plasma 6 is fantastic. I refuse to run Gnome because: Gnome devs. Furthermore, Gnome with all it's extensions, extensions that are usually needed to get a usable desktop computer experience as opposed to a tablet experience, is just as bad if not worse.
 
Mazzspeed said:
KDE Plasma 6 is fantastic. I refuse to run Gnome because: Gnome devs. Furthermore, Gnome with all it's extensions, extensions that are usually needed to get a usable desktop computer experience as opposed to a tablet experience, is just as bad if not worse.
Click to expand...

Honestly, I haven't used Gnome since the Gnome 2 days, which ended in 2011.

Cinnamon is technically based on Gnome 3, but at this point it has grown apart so much that it is not the same at all, and extensions are not compatible.

I've been so happy with the out of the box Cinnamon experience on Mint, that I haven't had any need to mess with it, and have spent my time elsewhere.
 
Hmmm.....
young-girl-drinking-a-juice-box.jpeg
 
Back in the CentOS days, I ran KDE for 5.x since it was exactly as I wanted it to be, having come up on Red Hat and later, Fedora.

I even used it during my CentOS 6.x days, but once I switched to 7.x, it seems that they really dumbed down the interface to the point where it became an inconvenience for me.

These days, with my 7.x system, I use GNOME. I really don't like it that much, but I can navigate my way through it faster than I can with today's "improved" KDE interface.

I really wish the KDE folks hadn't changed things, since it was perfect the way it was before.

Now that CentOS has gone to "CentOS Stream," I'm probably going to use Alma Linux. I honestly don't know what will be available with it...
 
Unabomber said:
Back in the CentOS days, I ran KDE for 5.x since it was exactly as I wanted it to be, having come up on Red Hat and later, Fedora.
Click to expand...

KDE 6 was literally only released under KDE Neon (KDE's own distro, will a rolling release DE) about a week ago, before that it was all KDE 5.x. I'm confused by your comment, as a little over a week ago I was running KDE 5.27.
 
The funny thing is I'd actually wondered early on when installing Kubuntu about the scope themes have in terms of what they can modify and couldn't find any docs about it. So I just left it at stock. I suppose this just sadly confirms concerns.

Edit: actually looking through my notes I saved this Ask Fedora page which claims any installed via the official store are 'safe' and act only like CSS changes. While now KDE's statement directly contradicts this, saying they can run arbitrary code and are short-staffed to review them.
 
Last edited:
Okatis said:
The funny thing is I'd actually wondered early on when installing Kubuntu about the scope themes have in terms of what they can modify and couldn't find any docs about it. So I just left it at stock. I suppose this just sadly confirms concerns.

Edit: actually looking through my notes I saved this Ask Fedora page which claims any installed via the official store are 'safe' and act only like CSS changes. While now KDE's statement directly contradicts this, saying they can run arbitrary code and are short-staffed to review them.
Click to expand...

There is, and has been since before KDE 6, a warning when downloading new global themes via Settings > Colors and Themes > Global Theme > Get New...
 

Attachments

  • KDE theme warning.png
    KDE theme warning.png
    738.3 KB · Views: 1
Mazzspeed said:
There is, and has been since before KDE 6, a warning when downloading new global themes via Settings > Colors and Themes > Global Theme > Get New...
Click to expand...
This message is very low information though, just a vague statement about functionality and stability. One could put the same message on something that was indeed just CSS-like changes (eg: due to the ability of OS updates that may break styling and lead to unexpected UI glitches—this actually happens on Windows sometimes with custom MSStyles theme files).

OTOH since there's the possibility to run arbitrary commands like rm -rf and without any interaction that's a very different type of risk. I couldn't find this information about what scope themes had when I searched earlier and from my linked thread it seems others think it's limited to just safe, stylistic changes.
 
Okatis said:
This message is very low information though, just a vague statement about functionality and stability. One could put the same message on something that was indeed just CSS-like changes (eg: due to the ability of OS updates that may break styling and lead to unexpected UI glitches—this actually happens on Windows sometimes with custom MSStyles theme files).

OTOH since there's the possibility to run arbitrary commands like rm -rf and without any interaction that's a very different type of risk. I couldn't find this information about what scope themes had when I searched earlier and from my linked thread it seems others think it's limited to just safe, stylistic changes.
Click to expand...

I agree, the wording of the warning reads like KDE devs are simply trying to avoid responsibility for any malicious activity. However, it does state "the software hasn't been reviewed by your distributor for functionality"...

...Meaning installing the global theme could result in any number of dire outcomes, although I admit the thought never crossed my mind that the process of installing a global theme could result in the execution of rm -rf on your behalf. I'm glad I didn't install it, TBH I've since deleted any third party themes from my system - I'm quite happy with a tweaked default Breeze dark theme.
 
Last edited:
You must log in or register to reply here.
Back
Top