> The version of Ghostscript was from 2012 and this allowed a specially crafted PDF file to execute a SUID binary and the attacker to gain access.
I don't care what version of Freebsd you're using. If your webapp is running Ghostscript against user-supplied data without doing so in a throwaway VM or at least container of some sort, no amount of updating will save you. That is an insane piece of software to be feeding untrusted input to without wearing a condom.
vermaden · 4d ago
Not from 2019 - from 2014.
FreeBSD 10.1 was released in 2014 and reached EoL in 2018.
I can compile FreeBSD 10.1 today and the displayed date by `uname` will be 2025 - that does not mean that code is from 2025 - only that it was compiled in 2025.
Hope that helps.
stiray · 4d ago
Such high profile target without security patches for system and probably outdated pkgs/ports for at least 3 years, I am actually surprised they survived that long.
hhh · 4d ago
They survived for a decade like this. Since it was sold, basically. Only since sharty has become a dedicated adversary did it become a problem for them.
There’s a billion other issues too, i’d be surprised if it’s not gone again very soon.
riffraff · 4d ago
The title here says 2019 but the linked page says 2014. This confused me for a bit.
Squossifrage · 4d ago
10.1 was released in 2014 and reached EOL in 2016. The screenshot appears to show a 10.1-p45 kernel that was built from December 2016 sources in September 2019, at a time when the latest release was 11.3. However, the Subversion revision number in the screenshot (r272678M) does not match any point on the stable/10 or releng/10.1 branches. To get that uname line, assuming neither the version string nor the screenshot have been manipulated, you'd have to have checked out the head (development) branch from Subversion, synced it to r272678¹ (11.0-CURRENT, October 2014), then replaced some or all of the tree (but not the Subversion metadata) with the tip of the releng/10.1 branch before building and installing a kernel in 2019.
I know we don't comment on formatting here, but WTF is this website?? I can't tell whether this is some early AI experiment or just someone trying to imitate the slang used on 4chan, and also there are ads covering literally two thirds of my screen. It almost feels like a parody. Is it?
unsnap_biceps · 4d ago
Look at other posts, they read similarly weirdly. I think it's just someone who is deeply in the 4chan orbit and communicates in that style.
wobfan · 4d ago
I don’t get it either. I stopped reading when it said the third time „this isn’t hard at all“ at first. Like, there are so many redundant and incredibly short sentences, I had a very hard time to read.
The whole message of this post could’ve been put into two structured sentences.
I don't care what version of Freebsd you're using. If your webapp is running Ghostscript against user-supplied data without doing so in a throwaway VM or at least container of some sort, no amount of updating will save you. That is an insane piece of software to be feeding untrusted input to without wearing a condom.
FreeBSD 10.1 was released in 2014 and reached EoL in 2018.
I can compile FreeBSD 10.1 today and the displayed date by `uname` will be 2025 - that does not mean that code is from 2025 - only that it was compiled in 2025.
Hope that helps.
There’s a billion other issues too, i’d be surprised if it’s not gone again very soon.
¹ https://cgit.freebsd.org/src/commit/?id=e15d3f3c0978fad0ebbc...
The whole message of this post could’ve been put into two structured sentences.