-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tarball missing for 10 days #17
Comments
The problem is my own ISP is intentionally deleting the release, because my ISP are idiots, and they scan all files uploaded for "viruses", and ClamAV is telling them the file CVE-2012-1458 and CVE-2015-4467 are the same exploit for the same lines of code in In other words, the test file I intentionally include to prove that libmspack is no longer exploitable by a 6 year old exploit, is still in ClamAV's database as something that can be used to exploit 6 year old copies of ClamAV, and therefore that's a "virus", which will continually block and prevent the release of the latest libmspack 0.7 Thanks a bunch, ClamAV. |
now there's a valid use of a facepalm |
libmspack 0.7.1alpha has been released. The only change over libmspack 0.7alpha is that it obfuscates the file which ClamAV objects to, so that ClamAV won't claim the release is "infected". The file is deobfuscated during the build process, so libmspack can still be tested and proven not vulnerable to this old vulnerability. |
thanks! |
Sorry about that Stuart! I think we had a similar issue back in the day (long before my time) with the non-malicious test samples we use in unit testing. Ours are also generated now to prevent ClamAV from flagging its own tarball. By the way, I'd like to collaborate more closely with you in the future, particularly with regards to vulnerability reports and such. Feel free to PM me on Twitter (@0xC0000063) or by email (micasnyd -at- cisco -dot- com). |
Sorry, this was a Gentoo build issue. We now have to copy sources and can no longer do out-of-source builds. Not a big deal. |
Which has nothing to do with the original issue though. Open a new issue next time ... |
On the main website https://www.cabextract.org.uk/libmspack/, this is printed:
"The latest release of libmspack is libmspack 0.7alpha, released on 25 July 2018."
which has a link to "https://www.cabextract.org.uk/libmspack/libmspack-0.7alpha.tar.gz"
which does not exist.
I thought maybe the file had to get re-rolled, but after 10 days, either you guys aren't aware the file is missing or there's a major issue in which an adjustment of the website is necessary, I would think.
If it's just a bad link, can you fix it?
The text was updated successfully, but these errors were encountered: