• rtxn@lemmy.worldM
    link
    fedilink
    English
    arrow-up
    112
    ·
    edit-2
    8 months ago

    For those not in the know: aussie man explains. A KDE Plasma 6 global theme deleted a user’s files. Global themes may contain arbitrary Javascript code, and a bug (using a library written for Plasma 5) caused it to essentially run rm -rf /*, Steam-style. KDE have since removed the theme and are considering next steps to warn the user that the “official” KDE store contains user-submitted content, and that some addons may contain potentially dangerous code.

    • KuroeNekoDemon@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      38
      ·
      edit-2
      8 months ago

      I still remember that video I watched where a line in the Steam code back in the day was titled SCARY!!! and it was rm -rf $STEAMROOT. This nuked a guy’s computer because short answer $STEAMROOT was actually / root, long answer here’s the video. This nuked both his PC and his external drive that is some pretty bad code but this JavaScript code is up there

      • rtxn@lemmy.worldM
        link
        fedilink
        English
        arrow-up
        41
        ·
        8 months ago

        That’s the issue I linked. The problem was that at some point a script executed rm -rf "$STEAMROOT/*", but did not make sure that $STEAMROOT was set. If for some reason it was empty, the path became /* after substitution.

      • PipedLinkBot@feddit.rocksB
        link
        fedilink
        English
        arrow-up
        5
        ·
        8 months ago

        Here is an alternative Piped link(s):

        video

        Piped is a privacy-respecting open-source alternative frontend to YouTube.

        I’m open-source; check me out at GitHub.

      • rtxn@lemmy.worldM
        link
        fedilink
        English
        arrow-up
        4
        ·
        8 months ago

        It should only affect Plasma 6 because of some breaking change to how a Javascript function returns a path.

      • NekuSoul@lemmy.nekusoul.de
        link
        fedilink
        arrow-up
        4
        ·
        8 months ago

        This particular issue was caused by a breaking change in Plasma 6 and bad handling in a specific global theme.

        The general security concerns that were being brought to light however apply to all versions.