Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tarball missing for 10 days #17

Closed
jrmarino opened this issue Aug 6, 2018 · 7 comments
Closed

Tarball missing for 10 days #17

jrmarino opened this issue Aug 6, 2018 · 7 comments

Comments

@jrmarino
Copy link

jrmarino commented Aug 6, 2018

On the main website https://www.cabextract.org.uk/libmspack/, this is printed:
"The latest release of libmspack is libmspack 0.7alpha, released on 25 July 2018."
which has a link to "https://www.cabextract.org.uk/libmspack/libmspack-0.7alpha.tar.gz"

which does not exist.

Not Found
The requested URL /libmspack/libmspack-0.7alpha.tar.gz was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

I thought maybe the file had to get re-rolled, but after 10 days, either you guys aren't aware the file is missing or there's a major issue in which an adjustment of the website is necessary, I would think.

If it's just a bad link, can you fix it?
@kyz
Copy link
Owner

kyz commented Aug 8, 2018
edited
Loading

The problem is my own ISP is intentionally deleting the release, because my ISP are idiots, and they scan all files uploaded for "viruses", and ClamAV is telling them the file test/test_files/chmd/cve-2015-4467-reset-interval-zero.chm is a BC.Legacy.Exploit.CVE_2012_1458-1 "virus".

CVE-2012-1458 and CVE-2015-4467 are the same exploit for the same lines of code in chmd.c, the former reported only to ClamAV and the latter reported to me.

In other words, the test file I intentionally include to prove that libmspack is no longer exploitable by a 6 year old exploit, is still in ClamAV's database as something that can be used to exploit 6 year old copies of ClamAV, and therefore that's a "virus", which will continually block and prevent the release of the latest libmspack 0.7

Thanks a bunch, ClamAV.

@jrmarino
Copy link
Author

jrmarino commented Aug 8, 2018

now there's a valid use of a facepalm

@kyz
Copy link
Owner

kyz commented Aug 9, 2018

libmspack 0.7.1alpha has been released. The only change over libmspack 0.7alpha is that it obfuscates the file which ClamAV objects to, so that ClamAV won't claim the release is "infected".

The file is deobfuscated during the build process, so libmspack can still be tested and proven not vulnerable to this old vulnerability.

@jrmarino
Copy link
Author

jrmarino commented Aug 9, 2018

thanks!

@jrmarino jrmarino closed this as completed Aug 9, 2018
@micahsnyder
Copy link
Contributor

Sorry about that Stuart! I think we had a similar issue back in the day (long before my time) with the non-malicious test samples we use in unit testing. Ours are also generated now to prevent ClamAV from flagging its own tarball.

By the way, I'd like to collaborate more closely with you in the future, particularly with regards to vulnerability reports and such. Feel free to PM me on Twitter (@0xC0000063) or by email (micasnyd -at- cisco -dot- com).

@Whissi
Copy link

Whissi commented Oct 6, 2018
edited
Loading

Sorry, this was a Gentoo build issue. We now have to copy sources and can no longer do out-of-source builds. Not a big deal.

@jrmarino
Copy link
Author

jrmarino commented Oct 6, 2018

Which has nothing to do with the original issue though. Open a new issue next time ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kyz @Whissi @jrmarino @micahsnyder