Graham Sutherland / PolynomialMay 6, 2025

UPDATE: https://chaos.social/@gsuberland/114463114056172083

-

sigrok's website is down with a message saying their hosting provider suffered a massive data loss

they say it'll be back soon, and they link to a directory with all the downloads in the meantime

I just downloaded `pulseview-0.4.2-64bit-static-release-installer.exe` from there, along with two archived copies from the Internet Archive (2023-02 and 2024-08). both IA copies have the same hash. the one currently being hosted is identical in length, but not hash.

Graham Sutherland / Polynomial (@[email protected])

update on the sigrok situation: the binaries almost certainly got corrupted during the data loss event that the hosting provider suffered, rather than being maliciously modified. there are strong indications that some of the data that got written into the binaries came from other tenants on the same hosting provider. the sigrok team are going to pull the downloads until clean backup copies can be verified and uploaded. thanks to everyone who took the time to look into this!

chaos.social
Show threadGraham Sutherland / PolynomialMay 6, 2025

SEE UPDATE: https://chaos.social/@gsuberland/114463114056172083

---

I quickly diff'd the two binaries and there are quite a few changes across the PE sections and other data structures. it's very odd to me that the files are the exact same length but not contents.

I don't have time to go dig into this today, but it's possible that sigrok's site has been compromised and is serving malicious software. until further checks have been done, I wouldn't trust anything on there.

if someone wants to do some analysis: [snip]

Graham Sutherland / Polynomial (@[email protected])

update on the sigrok situation: the binaries almost certainly got corrupted during the data loss event that the hosting provider suffered, rather than being maliciously modified. there are strong indications that some of the data that got written into the binaries came from other tenants on the same hosting provider. the sigrok team are going to pull the downloads until clean backup copies can be verified and uploaded. thanks to everyone who took the time to look into this!

chaos.social
Show threadGraham Sutherland / PolynomialMay 6, 2025

here are the archived copies I pulled from the IA

https://web.archive.org/web/20230211153037/https://sigrok.org/download/binary/pulseview/pulseview-0.4.2-64bit-static-release-installer.exe

https://web.archive.org/web/20240818051717/https://sigrok.org/download/binary/pulseview/pulseview-0.4.2-64bit-static-release-installer.exe

these are the same: 63e9ba060bec76bca7e87bc7e06fd5f7405bc6c74aa0afd76e9e9b7b1c9fab41

hash from the one currently being served: 2f4f7f1cede96d823bf630c0e8e9f932196af35ddc873bb5f710f3c6fca507b1

VT link for the new binary being served: https://www.virustotal.com/gui/file/2f4f7f1cede96d823bf630c0e8e9f932196af35ddc873bb5f710f3c6fca507b1

Wayback Machine

Show threadGraham Sutherland / Polynomial
entirely possible that this is just corruption or something from the data loss event, but very much worth checking out and being _very_ careful with the installers until they've been checked as safe.
May 6, 2025 at 8:48pmWeb
Show threadJernej Simončič �May 6, 2025
@gsuberland Corrupted vs. original installer at offset 0x01580000:
Show threadGraham Sutherland / PolynomialMay 6, 2025
@jernej__s oh now that is super weird
Show threadJernej Simončič �May 6, 2025
@gsuberland More weird stuff:
Show threaddavidc__May 6, 2025
@jernej__s @gsuberland that looks like their hosting provider had some form of corruption resulting in cross-tenant infoleaks..
Show threadJernej Simončič �May 6, 2025
@davidc__ @gsuberland Looks like there are 15 1MB sections that are corrupted.
Show threadRairii   May 6, 2025
@jernej__s @gsuberland nice infoleak via data corruption lol