Warning: Global themes / widgets in KDE Store, can execute arbitrary code.

sangheeta

Harvey

Flarum's embedding of reddit posts seems broken or it is for me at least.

Here is the title and link:
Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code. You are encouraged to exercise extreme caution when using these products.

EbonJaeger

Harvey if you're blocking ads and/or trackers, the embed gets blocked.

brent

I read about this today. Fascinating. If the CSS has an .sh then the .sh executes a rm -some.destructive.argument.command and nukes system. I mean it's a ***tty prank to be sure like flaming poop on a doorstep. not out to steal data that I can see.

Why there is no daily audit/CVE inspection is alarming.

Lastly---see last comment in the thread pic. Shows a liability waiver popup when you download which is weird for kde-curated site but I have no idea if these wallpapers exist as an official or unofficial site.

Justin

brent Why there is no daily audit/CVE inspection is alarming.

The incident wasn'ta security issue, just bad code.

As posted above, reviewing every single piece of code uploaded to the Pling store would be practically impossible.

Axios

I think they should disable those or fix it asap something that can hose your system like that
is not good public relations.
Makes you wonder how other DE fair

Harvey

From what I have heard it wasn't intentionally malicious. Doesn't change the end result tho.

Auditing every submission they get is never happening, there are far to many. However nothing categorised as a theme should be permitted to contain executable code. It is not what people expect and KDE seem to agree there is a disconnect here. https://blog.davidedmundson.co.uk/blog/kde-store-content/

Where as a simple Plasma colour scheme is nothing more than a themename.colors file containing stuff like this:

[Colors:Selection]
BackgroundAlternate=60,120,255
BackgroundNormal=60,120,255
DecorationFocus=60,120,255
DecorationHover=16,166,212

It is read by the system and applied, no execution of commands should be possible here. It just parses key:value pairs if its invalid it will fail. The issue is Global Themes are apparently allowed to pull in more stuff because you may want to change the system menu / calendar etc as one pack and that stuff is executable code.

When it comes to installing plasmoids / widgets / extensions to plasma that is different. I have no objections there. Just like you should not install anything from the AUR you haven't personally reviewed you shouldn't just install a plasmoid from the KDE store without reviewing it either.

brent

Harvey . However nothing categorised as a theme should be permitted to contain executable code.

that's the moral of the story I'm seeing as well.

Harvey Auditing every submission they get is never happening, there are far to many.

I did not know if that was realistic or if I was cognizant of the sheer volume of fan-derived stuff.

Harvey just like you should not install anything from the AUR you haven't personally reviewed

how true--aur has a dedicated transparency page for each package. do plaz users get that opportunity I wonder?

thanks for another eye-opener, harvey
edit/sp

Harvey

brent aur has a dedicated transparency page for each package. do plaz users get that opportunity I wonder?

Yes. Items in the store link to the code repository or you can download the tar / plasmoid file and inspect its contents before installing.