kyz / libmspack

A library for some loosely related Microsoft compression formats, CAB, CHM, HLP, LIT, KWAJ and SZDD.
https://www.cabextract.org.uk/libmspack/
169 stars 45 forks source link

Tarball missing for 10 days #17

Closed jrmarino closed 6 years ago

jrmarino commented 6 years ago

On the main website https://www.cabextract.org.uk/libmspack/, this is printed: "The latest release of libmspack is libmspack 0.7alpha, released on 25 July 2018." which has a link to "https://www.cabextract.org.uk/libmspack/libmspack-0.7alpha.tar.gz"

which does not exist.

Not Found
The requested URL /libmspack/libmspack-0.7alpha.tar.gz was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

I thought maybe the file had to get re-rolled, but after 10 days, either you guys aren't aware the file is missing or there's a major issue in which an adjustment of the website is necessary, I would think.

If it's just a bad link, can you fix it?

kyz commented 6 years ago

The problem is my own ISP is intentionally deleting the release, because my ISP are idiots, and they scan all files uploaded for "viruses", and ClamAV is telling them the file test/test_files/chmd/cve-2015-4467-reset-interval-zero.chm is a BC.Legacy.Exploit.CVE_2012_1458-1 "virus".

CVE-2012-1458 and CVE-2015-4467 are the same exploit for the same lines of code in chmd.c, the former reported only to ClamAV and the latter reported to me.

In other words, the test file I intentionally include to prove that libmspack is no longer exploitable by a 6 year old exploit, is still in ClamAV's database as something that can be used to exploit 6 year old copies of ClamAV, and therefore that's a "virus", which will continually block and prevent the release of the latest libmspack 0.7

Thanks a bunch, ClamAV.

jrmarino commented 6 years ago

now there's a valid use of a facepalm

kyz commented 6 years ago

libmspack 0.7.1alpha has been released. The only change over libmspack 0.7alpha is that it obfuscates the file which ClamAV objects to, so that ClamAV won't claim the release is "infected".

The file is deobfuscated during the build process, so libmspack can still be tested and proven not vulnerable to this old vulnerability.

jrmarino commented 6 years ago

thanks!

micahsnyder commented 6 years ago

Sorry about that Stuart! I think we had a similar issue back in the day (long before my time) with the non-malicious test samples we use in unit testing. Ours are also generated now to prevent ClamAV from flagging its own tarball.

By the way, I'd like to collaborate more closely with you in the future, particularly with regards to vulnerability reports and such. Feel free to PM me on Twitter (@0xC0000063) or by email (micasnyd -at- cisco -dot- com).

Whissi commented 6 years ago

Sorry, this was a Gentoo build issue. We now have to copy sources and can no longer do out-of-source builds. Not a big deal.

jrmarino commented 6 years ago

Which has nothing to do with the original issue though. Open a new issue next time ...