- args->endp - args->begin_argv + consume);
+ args->endp - (args->begin_argv + consume));
I've seen so many mistakes from it, and seen people spend so much pointless and avoidable time deciphering and verifying it, it really doesn't seem worth it (in most code) for the extremely minor character savings.
a - b - c
At this point you just require every compound infix expression to be parenthesised, the terseness isn't worth the inconsistency. Especially as, as others have noted, these operations are only associative when working in some classes (notably not necessarily when dealing with floats).
And then you do automatic parens insertion in the LSP, so you write
a - b - c
(a - b) - cBut yes, I personally parenthesize `a-b-c` explicitly, because it's not worth it for me to read and wonder if parenthesizing order matters later. Costs less than a second to write, saves a second or ten each time I read it - that's an excellent tradeoff imo, and is a trivial pattern to follow.
(Associative operators are fine, obviously)
Yeah that's pretty much exactly what I do by hand. I should really give Pony a try some time... there's a lot of stuff in it that I like.
Here the expressions are pure, OoE has nothing whatsoever to do with the issue.
Check out our blog post for a fun walkthrough: https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-free...
AI-generated working exploit, write-up and prompts: https://github.com/califio/publications/tree/main/MADBugs/fr...
All that to say, the BSD userbase as a sizeable subset that are there for countercultural reasons, rather than technical. These are the people who buy into, say, OpenBSD's vaunted security reputation, or believe that "linux bad because reasons", so you're always going to get people in here bragging, because "not using linux" has become part of their identity.
I run a mix of FreeBSD and Linux on my personal devices. The ground truth is that FreeBSD is yet another unix-like OS written in C, and thus not immune from the types of bugs that stem from that lineage. None of the BSD distros are materially more secure or better than a properly-configured and patched Linux.
> thus not immune from the types of bugs that stem from that lineage
They never claimed that FreeBSD didn't have vulnerabilities. I honestly have no idea why grandparent decided to bring up their comment when it exactly validates what the person they were criticising says. GP admits the response to the vulnerability was well-coordinated. The response to security vulnerabilities was the exact, and only, subject of the post they're calling out.
I use Linux as well but I really like FreeBSD for a number of technical reasons. Like the ports collection, the jails, the first-class citizen ZFS.
And Gnome 3 doesn't really have anything to do with Linux. It is also available for FreeBSD if you want it (I don't, I hate the minimalist opinionated design style so I use KDE, also on Linux).
But I use Linux on servers where I run docker for example. It's not about "not using linux".
There's a very hard push on getting Gnome 3 aligned to systemd. Gnome is actually my preferred DE on Linux when I choose to use one. But compatibility with Unix systems is becoming harder every day.
From the gnome team this was to be expected because they are beholden to RedHat/IBM and the other big distros who push systemd heavily. But from the KDE team I didn't.
I've stopped my monthly KDE donations for this reason. Just to send a message that this isn't ok.
I've tried to use it but I dound it pretty difficult for systems that need a GUI. Maybe I should revisit.
sysutils/vm-bhyve makes it quite friendly.
I wouldn't use it for work, though, just personal. Work is all enterprisey kubernetes stuff.
Edit: there is a 'proxmox-like' for FreeBSD out [0] -- I did try it on a couple machines and couldn't get the network working, but consoles seemed to work.. Kinda.
For me it's all personal too. For work we still use VMWare a lot.
memmove(args->begin_argv + extend, args->begin_argv + consume,
args->endp - args->begin_argv + consume); // ← bug
Yeah.
> No workaround is available.
Oh dear.
> Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system.
Not everyone can just freebsd-update and reboot, so yes, "Oh dear." is a good response to this.
You should treat any system where non-admins regularly login as basically insecure/owned and rig your architecture appropriately.
TBH -- I don't have any of these kinds of boxes anymore. Who is really running anything like this in 2026 and for what purpose?
The systems should be cut off from sensitive administrative data, but a malicious student would at the very least have access to the other students' data with an LPE.
> Who is really running anything like this in 2026 and for what purpose?
Am I parsing your question correctly?
My point is that if you do, you probably shouldn't run, for e.g applications which need production db credential, or hold sensitive data on these boxes, or .. whatever.
Edit: I use FreeBSD extensively, for various things -- but shell access to them is restricted to the sysadmins..
often it's ssh'able with things like rbash and other restrictions and almost always you, well, can run something there (as you can edit php/other files right from web management ui).
Hordes of this (in Linux world).
Accept that everything is broken and terrible and yet somehow find a way to keep a sense of humor and smile about it.
The recent two. FailCopy and DirtyFrag and FreeBSD with Execve.
2 - Linux 1 - FreeBSD.
Of course, all OS have had past-time exploits. Three now have made the news.
Three. I don't know if this has a name yet... https://news.ycombinator.com/item?id=48067734
Naturally they don't do blog posts about what they find.
But windows still has a root and a lower privilege user. You typically need to click on "run as admin" to elevate privileges to, for example, alter system binaries.
It he talked about Android, I would have mentioned Project Zero.
Don't twist the meaning of posts.