Summary: | Downloaded image does not check out from one of the mirrors | ||
---|---|---|---|
Product: | Gentoo Infrastructure | Reporter: | Philippe Trottier <tchiwam> |
Component: | Other web server issues | Assignee: | Gentoo Infrastructure <infra-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | whissi |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=695860 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | mirror_kernel_org-blocked-safebrowsing_201901141800.jpg |
Description
Philippe Trottier
2019-01-04 22:59:14 UTC
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e Is the SHA512 for an empty file. I'm going to pull from all of the mirrors to verify the content. Thank you, Ok now I feel dumb. And I may explain why, the virus warning from Firefox never renamed the .iso.part to .iso Do you still have that .iso.part file? - What size is it? - Does it have extended attributes that recorded where it was downloaded from? - What does the 'file' tool say about it? The file is gone, a 2nd try went over it, I initially thought it was just another failed download. But it failed again in firefox and the message was a normal failed and allow to restart. I then went to wget as I need to get this new machine installed. The size of the file was close enough to fool me and it was marked as complete in Firefox. I am very sorry that I did not keep it for further analysis. All [1] of the bouncer mirror endpoints (19 of them) return the correct file, or at least the first part of it [2] [1] Specific value of all: some mirrors are externally managed CDNs, and I can't test every CDN point of presence. [2] I did detect the Evowise CDN doing an early truncation of the file in some cases. But that first part was correct. I mocked the headers to look like Firefox, in case the service served a different result to Wget/curl clients. This leaves a few possibilities: - You were browsing the page, and the actual link you had clicked for the download didn't really go to bouncer.gentoo.org, but to a malicious site instead. This could be due to browser plugins, malicious local adversary (page injection), or a couple of other attacks that are hard to detect. That you go the virus or malware warning tells us a possible things: - the actual URL was on the safebrowsing blacklist - it wanted to confirm the item was safe anyway due to mime type or file headers. @philippe: one more question, where did you get the http://bouncer link? we've tried to replace all of them with https:// @philippe: one more question, where did you get the http://bouncer link? we've tried to replace all of them with https:// @ Philippe: With some luck you don't have cleaned history yet. Please run
> $ sqlite3 places.sqlite "SELECT * FROM moz_places WHERE url LIKE '%20160704%' OR title LIKE '%20160704%'"
against your places.sqlite file (you said you used Firefox).
sqlite3 places.sqlite "SELECT * FROM moz_places WHERE url LIKE '%20160704%' OR title LIKE '%20160704%'" 12981|http://bouncer.gentoo.org/fetch/gentoo-20160704-livedvd/amd64/||gro.ootneg.recnuob.|4|1|0||82|1546637164952880|_H61R-w8q8Og|0|125510643763481|| 12982|https://mirrors.kernel.org/gentoo//releases/amd64/20160704/|Index of /gentoo/releases/amd64/20160704/|gro.lenrek.srorrim.|2|0|1||1673|1546637299422904|KtWhkUo-OYEw|0|47359216456011|| 12990|https://mirror.bytemark.co.uk/gentoo//releases/amd64/20160704/|Bytemark Hosting - Mirror|ku.oc.krametyb.rorrim.|1|0|0||82|1546636745205350|wq50rj9LaNHt|0|47358582965228|| 12991|https://mirror.bytemark.co.uk/gentoo//releases/amd64/20160704/livedvd-amd64-multilib-20160704.iso.DIGESTS|livedvd-amd64-multilib-20160704.iso.DIGESTS|ku.oc.krametyb.rorrim.|0|0|0||0|1546636790614000|wpj9xuhEs1iZ|0|47359109875240|| 12995|https://mirrors.evowise.com/gentoo//releases/amd64/20160704/|Index of /gentoo/releases/amd64/20160704/|moc.esiwove.srorrim.|1|0|0||82|1546637086552943|xEFelDVOT4tF|0|47356974890164|| 12997|http://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/20160704/|Studenten Net Twente - Index of /pub/os/linux/gentoo/releases/amd64/20160704/|ln.etnewtu.tns.ptf.|1|0|0||82|1546637165251434|8tYKcCemFidh|0|125507903475623|| 12998|http://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/20160704/livedvd-amd64-multilib-20160704.iso|livedvd-amd64-multilib-20160704.iso|ln.etnewtu.tns.ptf.|0|0|0||0|1546637168638247|nTyMLhNInWmg|0|125510156639855|| 12999|https://mirrors.kernel.org/gentoo//releases/amd64/20160704/livedvd-amd64-multilib-20160704.iso.DIGESTS.asc||gro.lenrek.srorrim.|1|0|0||82|1546637313620887|SnrH7Xh_kPrP|0|47356321227240|| This is the dump, thank you for the command, very useful, sorry for the delay. Created attachment 560956 [details] mirror_kernel_org-blocked-safebrowsing_201901141800.jpg Thank you, this helped us finding the flagged mirror: https://mirrors.kernel.org/gentoo//releases/amd64/20160704/ The flagged mirror is no longer flagged by Google, marking resolved. |