Incident with KDE theme deleting user files

The KDE Project has recommended against installing unofficial global themes and widgets for KDE following an incident involving the deletion of all personal files from a user who installed the Gray Layout theme from the KDE Store, with approximately 4000 downloads. It is believed that the incident was not caused by malicious intent, but by a bug related to the unsafe use of the "rm -rf" command.

KDE global themes provide the ability to use plasmoids that run arbitrary commands, which can be used to delete files, among other things. When using constructs like β€œrm -rf $VAR/*” in code, a situation may arise when the $VAR variable is uninitialized, which will lead to the actual execution of the β€œrm -rf /*” command. Previously, similar errors appeared in the initialization scripts of Squid, Steam and bumblebee.

The incident is associated with calling code from the PlasmaConfSaver widget, which contains a save.sh script that deletes old configuration files left over from the last installation. Files are deleted with the command β€œrm -Rf β€œ$configFolder”, despite the fact that the code does not check the setting of the $configFolder variable, the value of which is passed through the command line argument (β€œconfigFolder=$2”). The code was originally designed for use in KDE 5, but due to changes in KDE 6, the logic for calling handlers could be broken and the variable would end up with a value that would delete all user data (for example, instead of running β€œsh save.sh somepath/ ..." the code β€œsh save.sh somepath / ...” could have been executed, resulting in the value β€œ/” in the configFolder variable.

The KDE developers intend to audit third-party themes posted to the KDE Store directory to identify similar errors, and also organize warnings when installing themes posted by third-party users. Additionally, the issue of introducing pre-screening of projects hosted in the KDE Store is discussed in order to counter the targeted placement of themes by attackers aimed at performing malicious actions, such as stealing sensitive data and running processes to spoof crypto wallet numbers on the clipboard.

Typically, many users do not assume that code may be executed when installing a theme, so they do not pay due attention to security when installing themes. Global themes not only affect the appearance, but also change the behavior of Plasma and can include their own implementations of screen lockers and applets, i.e. components that execute the code. Due to a lack of resources, projects posted in the KDE Store directory are not verified in any way and are placed solely on the basis of trust, despite the fact that anyone can register in the directory.

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers πŸ”₯ Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster