Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 674560 - Downloaded image does not check out from one of the mirrors
Summary: Downloaded image does not check out from one of the mirrors
Status: IN_PROGRESS
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Other web server issues (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-04 22:59 UTC by Philippe Trottier
Modified: 2019-10-27 13:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
mirror_kernel_org-blocked-safebrowsing_201901141800.jpg (mirror_kernel_org-blocked-safebrowsing_201901141800.jpg,91.62 KB, image/jpeg)
2019-01-14 17:58 UTC, Thomas Deutschmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Philippe Trottier 2019-01-04 22:59:14 UTC
My 1st download of the liveDVD gave me a warning on firefox telling me it might contain a virus or malware.

I then checked the file:
sha512sum /home/tchiwam/Downloads/livedvd-amd64-multilib-20160704.iso
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e  Downloads/livedvd-amd64-multilib-20160704.iso

I used wget and got the good sha512 as Expected :
sha512sum /home/tchiwam/Downloads/livedvd-amd64-multilib-20160704.iso
88fa7f2f700fac8caae2691b7797f80f5c47813f4b63b75cdeca6b7dcc8223c24b1e1a9ae7b57e4d86109716c2c638f5b9998ed385bb9f2528ef34bf02c8b115  Downloads/livedvd-amd64-multilib-20160704.iso

Sadly I cannot find in my history the link used to download the faulty one. 

I expect that you may simply close this bug really fast as impossible to verify depending on how many mirrors you have for http://bouncer.gentoo.org/fetch/gentoo-20160704-livedvd/amd64/



Reproducible: Couldn't Reproduce

Actual Results:  
wrong sha512

Expected Results:  
proper sha512
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-01-05 00:05:24 UTC
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
Is the SHA512 for an empty file.

I'm going to pull from all of the mirrors to verify the content.
Comment 2 Philippe Trottier 2019-01-05 00:10:58 UTC
Thank you, Ok now I feel dumb. And I may explain why, the virus warning from Firefox never renamed the .iso.part to .iso
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-01-05 00:19:00 UTC
Do you still have that .iso.part file?

- What size is it?
- Does it have extended attributes that recorded where it was downloaded from?
- What does the 'file' tool say about it?
Comment 4 Philippe Trottier 2019-01-05 00:41:20 UTC
The file is gone, a 2nd try went over it, I initially thought it was just another failed download. But it failed again in firefox and the message was a normal failed and allow to restart. I then went to wget as I need to get this new machine installed. 

The size of the file was close enough to fool me and it was marked as complete in Firefox.

I am very sorry that I did not keep it for further analysis.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-01-05 22:42:30 UTC
All [1] of the bouncer mirror endpoints (19 of them) return the correct file, or at least the first part of it [2]

[1] Specific value of all: some mirrors are externally managed CDNs, and I can't test every CDN point of presence.
[2] I did detect the Evowise CDN doing an early truncation of the file in some cases. But that first part was correct.

I mocked the headers to look like Firefox, in case the service served a different result to Wget/curl clients.

This leaves a few possibilities:
- You were browsing the page, and the actual link you had clicked for the download didn't really go to bouncer.gentoo.org, but to a malicious site instead. This could be due to browser plugins, malicious local adversary (page injection), or a couple of other attacks that are hard to detect.

That you go the virus or malware warning tells us a possible things:
- the actual URL was on the safebrowsing blacklist
- it wanted to confirm the item was safe anyway due to mime type or file headers.
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-01-05 23:05:38 UTC
@philippe:
one more question, where did you get the http://bouncer link?
we've tried to replace all of them with https://
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-01-05 23:05:38 UTC
@philippe:
one more question, where did you get the http://bouncer link?
we've tried to replace all of them with https://
Comment 8 Thomas Deutschmann gentoo-dev Security 2019-01-05 23:21:54 UTC
@ Philippe: With some luck you don't have cleaned history yet. Please run

> $ sqlite3 places.sqlite "SELECT * FROM moz_places WHERE url LIKE '%20160704%' OR title LIKE '%20160704%'"

against your places.sqlite file (you said you used Firefox).
Comment 9 Philippe Trottier 2019-01-14 17:04:22 UTC
sqlite3 places.sqlite "SELECT * FROM moz_places WHERE url LIKE '%20160704%' OR title LIKE '%20160704%'"

12981|http://bouncer.gentoo.org/fetch/gentoo-20160704-livedvd/amd64/||gro.ootneg.recnuob.|4|1|0||82|1546637164952880|_H61R-w8q8Og|0|125510643763481||

12982|https://mirrors.kernel.org/gentoo//releases/amd64/20160704/|Index of /gentoo/releases/amd64/20160704/|gro.lenrek.srorrim.|2|0|1||1673|1546637299422904|KtWhkUo-OYEw|0|47359216456011||

12990|https://mirror.bytemark.co.uk/gentoo//releases/amd64/20160704/|Bytemark Hosting - Mirror|ku.oc.krametyb.rorrim.|1|0|0||82|1546636745205350|wq50rj9LaNHt|0|47358582965228||

12991|https://mirror.bytemark.co.uk/gentoo//releases/amd64/20160704/livedvd-amd64-multilib-20160704.iso.DIGESTS|livedvd-amd64-multilib-20160704.iso.DIGESTS|ku.oc.krametyb.rorrim.|0|0|0||0|1546636790614000|wpj9xuhEs1iZ|0|47359109875240||

12995|https://mirrors.evowise.com/gentoo//releases/amd64/20160704/|Index of /gentoo/releases/amd64/20160704/|moc.esiwove.srorrim.|1|0|0||82|1546637086552943|xEFelDVOT4tF|0|47356974890164||

12997|http://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/20160704/|Studenten Net Twente - Index of /pub/os/linux/gentoo/releases/amd64/20160704/|ln.etnewtu.tns.ptf.|1|0|0||82|1546637165251434|8tYKcCemFidh|0|125507903475623||

12998|http://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/20160704/livedvd-amd64-multilib-20160704.iso|livedvd-amd64-multilib-20160704.iso|ln.etnewtu.tns.ptf.|0|0|0||0|1546637168638247|nTyMLhNInWmg|0|125510156639855||

12999|https://mirrors.kernel.org/gentoo//releases/amd64/20160704/livedvd-amd64-multilib-20160704.iso.DIGESTS.asc||gro.lenrek.srorrim.|1|0|0||82|1546637313620887|SnrH7Xh_kPrP|0|47356321227240||


This is the dump, thank you for the command, very useful, sorry for the delay.
Comment 10 Thomas Deutschmann gentoo-dev Security 2019-01-14 17:58:51 UTC
Created attachment 560956 [details]
mirror_kernel_org-blocked-safebrowsing_201901141800.jpg

Thank you, this helped us finding the flagged mirror: https://mirrors.kernel.org/gentoo//releases/amd64/20160704/