Mastodawn

Graham Sutherland / Polynomial

UPDATE: https://chaos.social/@gsuberland/114463114056172083

-

sigrok's website is down with a message saying their hosting provider suffered a massive data loss

they say it'll be back soon, and they link to a directory with all the downloads in the meantime

I just downloaded `pulseview-0.4.2-64bit-static-release-installer.exe` from there, along with two archived copies from the Internet Archive (2023-02 and 2024-08). both IA copies have the same hash. the one currently being hosted is identical in length, but not hash.

Graham Sutherland / Polynomial (@[email protected])

update on the sigrok situation: the binaries almost certainly got corrupted during the data loss event that the hosting provider suffered, rather than being maliciously modified. there are strong indications that some of the data that got written into the binaries came from other tenants on the same hosting provider. the sigrok team are going to pull the downloads until clean backup copies can be verified and uploaded. thanks to everyone who took the time to look into this!

chaos.social

Graham Sutherland / Polynomial May 6, 2025

SEE UPDATE: https://chaos.social/@gsuberland/114463114056172083

---

I quickly diff'd the two binaries and there are quite a few changes across the PE sections and other data structures. it's very odd to me that the files are the exact same length but not contents.

I don't have time to go dig into this today, but it's possible that sigrok's site has been compromised and is serving malicious software. until further checks have been done, I wouldn't trust anything on there.

if someone wants to do some analysis: [snip]

Graham Sutherland / Polynomial (@[email protected])

update on the sigrok situation: the binaries almost certainly got corrupted during the data loss event that the hosting provider suffered, rather than being maliciously modified. there are strong indications that some of the data that got written into the binaries came from other tenants on the same hosting provider. the sigrok team are going to pull the downloads until clean backup copies can be verified and uploaded. thanks to everyone who took the time to look into this!

chaos.social

Graham Sutherland / Polynomial May 6, 2025

here are the archived copies I pulled from the IA

https://web.archive.org/web/20230211153037/https://sigrok.org/download/binary/pulseview/pulseview-0.4.2-64bit-static-release-installer.exe

https://web.archive.org/web/20240818051717/https://sigrok.org/download/binary/pulseview/pulseview-0.4.2-64bit-static-release-installer.exe

these are the same: 63e9ba060bec76bca7e87bc7e06fd5f7405bc6c74aa0afd76e9e9b7b1c9fab41

hash from the one currently being served: 2f4f7f1cede96d823bf630c0e8e9f932196af35ddc873bb5f710f3c6fca507b1

VT link for the new binary being served: https://www.virustotal.com/gui/file/2f4f7f1cede96d823bf630c0e8e9f932196af35ddc873bb5f710f3c6fca507b1

Wayback Machine

Graham Sutherland / Polynomial May 6, 2025

boop @da_667 if you've got the bandwidth to check this out it would be appreciated. tons of hardware/firmware folks use sigrok so it's a juicy target.

Graham Sutherland / Polynomial May 6, 2025

@da_667 currently looking like it's _probably_ just corruption? but some of the data in the corrupted sections might have memory or filesystem contents or something, potentially with infoleak implications:

https://infosec.exchange/@jernej__s/114462866033058951

Jernej Simončič � (@[email protected])

Attached: 2 images @[email protected] Corrupted vs. original installer at offset 0x01580000:

Infosec Exchange

Graham Sutherland / Polynomial May 6, 2025

update on the sigrok situation:

the binaries almost certainly got corrupted during the data loss event that the hosting provider suffered, rather than being maliciously modified.

there are strong indications that some of the data that got written into the binaries came from other tenants on the same hosting provider.

the sigrok team are going to pull the downloads until clean backup copies can be verified and uploaded.

thanks to everyone who took the time to look into this!

Rachel Mant May 6, 2025

@gsuberland nice job figuring that out - been watching this cavalcade of comedy unfold from the 1b² Discord server's bridge to their IRC channel and it's been one bad turn after the next..

we'd go so far as to say that we suspect all backups/data copies taken near or after the provider's hardware failure are entirely toast, which is giving them a hell of a headache for how to recover.. this is just one of many moving pieces found to have been corrupted in this kind of way.

penguin42 May 6, 2025

@gsuberland wtf do they end up with data from a different tenant?!

Graham Sutherland / Polynomial May 6, 2025

@penguin42 web host with multiple tenants on one physical system

penguin42 May 6, 2025

@gsuberland It's still damn weird to get cross-tenant contamination like that.

Graham Sutherland / Polynomial May 6, 2025

@penguin42 yup. from the sounds of it the host completely hosed the data and hasn't been responsive.

1.3.6.1.4.1.61513 May 7, 2025

@penguin42 @gsuberland we've had a small cdn provider called *checks notes* cloudflare do this to some of our endpoints because they changed their own disk format and didn't clear their cache. Our JS blob suddenly had someone elses binary data in it.

Graham Sutherland / Polynomial May 6, 2025

entirely possible that this is just corruption or something from the data loss event, but very much worth checking out and being _very_ careful with the installers until they've been checked as safe.

Jernej Simončič �May 6, 2025

@gsuberland Corrupted vs. original installer at offset 0x01580000:

Graham Sutherland / Polynomial May 6, 2025

@jernej__s oh now that is super weird

Jernej Simončič �May 6, 2025

@gsuberland More weird stuff:

davidc__May 6, 2025

@jernej__s @gsuberland that looks like their hosting provider had some form of corruption resulting in cross-tenant infoleaks..

Jernej Simončič �May 6, 2025

@davidc__ @gsuberland Looks like there are 15 1MB sections that are corrupted.

@jernej__s @gsuberland nice infoleak via data corruption lol

Jernej Simončič �May 6, 2025

@gsuberland Might be just corruption? 7-zip complains about several files when trying to extract, while those files extract fine from web.archive.org version.

Jernej Simončič �May 6, 2025

@gsuberland Trying to run the installer (in a VM) results in this:

Graham Sutherland / Polynomial May 6, 2025

@jernej__s could be, especially if the data loss did corrupt some files. just kinda odd.

emily, blinkenlight witch May 6, 2025

@gsuberland @jernej__s okay i am now intrigued

other corrupted files from .../binary/pulseview specifically:
```
Binary files pulseview-0.4.1-32bit-static-release-installer.exe and ../official/sigrok.org/download/binary/pulseview/pulseview-0.4.1-32bit-static-release-installer.exe differ
Binary files pulseview-0.4.2-64bit-static-release-installer.exe and ../official/sigrok.org/download/binary/pulseview/pulseview-0.4.2-64bit-static-release-installer.exe differ
Binary files PulseView-0.4.2-i386.AppImage and ../official/sigrok.org/download/binary/pulseview/PulseView-0.4.2-i386.AppImage differ
```

emily, blinkenlight witch May 6, 2025

@gsuberland @jernej__s sigrok-cli-0.7.2-i386.AppImage has a lot going on, I've seen random garbage (the first one I looked at does not appear to be sensical IA-32 machine code), HTML, JSON, kernel logs, and some other sort of logs.

so currently it *looks* like random bits of server memory overwriting random bits of files

edit: I claimed most of what was overwritten was zeroes but I was looking at the files backwards, actually a lot of areas were overwritten *with* zeroes

emily, blinkenlight witch May 6, 2025

@gsuberland @jernej__s it's also a minecraft server!

Graham Sutherland / Polynomial May 6, 2025

@emily @jernej__s haaa, that's a fun find

emily, blinkenlight witch May 6, 2025

@gsuberland @jernej__s :)

Erik McClure May 6, 2025

@gsuberland "somewhat" concerning????

therian_salmacian

@gsuberland Shit, that’s not a great sign, is it?

Mike P May 6, 2025

@gsuberland I nearly suggested that you should compare them in more detail to see which bytes differ ... but then I realised that you probably already thought of that ;)

Ewen McNeill May 6, 2025

@gsuberland FTR the sigrok webserver data corruption happened a month or more ago (there’s some history/context in the sigrok IRC channel mirrored into the 1bitsquared Discord around early April 2025).

From memory it sounded like cross linked blocks in the file system, which corrupted webserver software. I guess it’s possible it also corrupted other files too.

Ewen McNeill May 6, 2025

@gsuberland IIRC the website owner has offline copies of the sigrok software so could restore those. (But not if the hosting setup, so rebuilding the website hosting was taking a while.)

I think they had assumed the corruption was limited to just the website hosting binaries. And maybe not double checked all the sigrok software archives. So good that you checked.