I would also say don't run ghostscript with the same permissions as the web server, especially not if you can just hand it your PDF through stdin and take a PNG through stdout. Sandbox it as much as possible. PDF is a really complex format which means lots of opportunities for buffer overruns and the like. (Edit: Actually, reading through Arch-TK's post above, it sounds like it was much dummer than something like a buffer overrun.)
Newer Ghostscript versions are Affero GPL, that might be problem for some people, although probably not for 4chan (they don't modify it so it should be fine)
(incidentally I am now working on compiling this old GPL ghostscript to webassembly with file isolation... it works fine... but the compilation is kind of annoying)
In February 2013, with version 9.07, Ghostscript changed its license from GPLv3 to GNU AGPL.
With the AGPL license being legal kryptonite I wonder if license compatibility drove the decision (and how many other installations of Ghostscript share this concern)?
> With the AGPL license being legal kryptonite I wonder if license compatibility drove the decision
Unlikely. There's a number of other strong indications that basic maintenance was being neglected, including shell transcripts showing that at least one server was running FreeBSD 10.1 (released in 2014, end-of-life in 2018), and PHP code using the mysql extension (which was deprecated in PHP 5.6 = 2014 and removed in PHP 7.0 = 2015).
It's probably not a coincidence that 4chan was sold to a new owner in 2015.
agpl is no different than gpl if you're distributing applications. if you host the functionality of the application with improvements then it's rightly so cryptonite and you deserve it.
Sad to see less and less AGPL code out there. It's truly one if the best licenses to prevent the SV MO of taking shit they didn't make and selling it as if they did.
Does this vuln have a CVE number, or other details? Just curious, since from the posts explaining things this doesn't seem to be based on memory corruption.
I would also say don't run ghostscript with the same permissions as the web server, especially not if you can just hand it your PDF through stdin and take a PNG through stdout. Sandbox it as much as possible. PDF is a really complex format which means lots of opportunities for buffer overruns and the like. (Edit: Actually, reading through Arch-TK's post above, it sounds like it was much dummer than something like a buffer overrun.)
Newer Ghostscript versions are Affero GPL, that might be problem for some people, although probably not for 4chan (they don't modify it so it should be fine)
(incidentally I am now working on compiling this old GPL ghostscript to webassembly with file isolation... it works fine... but the compilation is kind of annoying)
> Don't run versions of ghostscript from 2012?
Per Wikipedia:
In February 2013, with version 9.07, Ghostscript changed its license from GPLv3 to GNU AGPL.
With the AGPL license being legal kryptonite I wonder if license compatibility drove the decision (and how many other installations of Ghostscript share this concern)?
> With the AGPL license being legal kryptonite I wonder if license compatibility drove the decision
Unlikely. There's a number of other strong indications that basic maintenance was being neglected, including shell transcripts showing that at least one server was running FreeBSD 10.1 (released in 2014, end-of-life in 2018), and PHP code using the mysql extension (which was deprecated in PHP 5.6 = 2014 and removed in PHP 7.0 = 2015).
It's probably not a coincidence that 4chan was sold to a new owner in 2015.
Not a lot of reputable advertisers want to associate themselves with 4chan I imagine.
4chan aren’t modifying the Ghostscript code, why would they care about the license?
uninformed or malicious FUD.
agpl is no different than gpl if you're distributing applications. if you host the functionality of the application with improvements then it's rightly so cryptonite and you deserve it.
Sad to see less and less AGPL code out there. It's truly one if the best licenses to prevent the SV MO of taking shit they didn't make and selling it as if they did.
I just relicensed a bunch of old code to AGPL, probably with little practical effect since it's old code: https://www.immibis.com/blog/relicensing
Does this vuln have a CVE number, or other details? Just curious, since from the posts explaining things this doesn't seem to be based on memory corruption.