1.13.1 on website has misleading version number #726
Comments
lol, and wtf the latest commit 03ca628 results in a |
Yeah, I couldn't reproduce the vulnerability with the latest release. I think the version label is just wrong... |
@zorgiepoo It's unlikely that there'd be a mistake in the version. How are you trying to reproduce? I've been trying to reproduce as well with bettercap and failing when I know VLC is vulnerable, so just because you can't reproduce doesn't mean it's not vulnerable. |
Sorry for the confusion. I forgot to bump version number in master. It's not vulnerable, it was just showing old version number. |
You can run
on a copy of the framework to test whether the binary contains the fix. If it returns "Binary file … matches" it's safe. |
@pornel I'm not entirely convinced. Even if you forgot to bump the minor version number in master, that doesn't change the fact that your automated build script stamped it with a commit that came before the fix. What is the |
I tested inserting the ftp:// and file:// URLs in an appcast that the blog post mentions, which worked on an older version of Sparkle but not on the latest one that was on the release page; I used the included test app.
|
The string that was added was The build with these fixes has been created a week before these commits were created. The commits were added later when we were ready to disclose the vulnerability. Please ignore the hash in the version tag. |
Oops, that was just a typo on my part.
I see, so there must've been unstaged changes on top of 2afc553 when you created it? |
@taoeffect You're mixing things up. The commit you've linked to is for local file disclosure via remote entities, and it is included in the binary. |
I downloaded this from the homepage: https://github.com/sparkle-project/Sparkle/releases/download/1.13.1/Sparkle-1.13.1.tar.bz2
Get Info reveals version:
1.13.1 git-2afc553
Commit 2afc553 is before the merged fixes took place in 0fe520f.
The text was updated successfully, but these errors were encountered: