Graham Sutherland / PolynomialMay 6, 2025

UPDATE: https://chaos.social/@gsuberland/114463114056172083

-

sigrok's website is down with a message saying their hosting provider suffered a massive data loss

they say it'll be back soon, and they link to a directory with all the downloads in the meantime

I just downloaded `pulseview-0.4.2-64bit-static-release-installer.exe` from there, along with two archived copies from the Internet Archive (2023-02 and 2024-08). both IA copies have the same hash. the one currently being hosted is identical in length, but not hash.

Graham Sutherland / Polynomial (@[email protected])

update on the sigrok situation: the binaries almost certainly got corrupted during the data loss event that the hosting provider suffered, rather than being maliciously modified. there are strong indications that some of the data that got written into the binaries came from other tenants on the same hosting provider. the sigrok team are going to pull the downloads until clean backup copies can be verified and uploaded. thanks to everyone who took the time to look into this!

chaos.social
Show threadGraham Sutherland / PolynomialMay 6, 2025

SEE UPDATE: https://chaos.social/@gsuberland/114463114056172083

---

I quickly diff'd the two binaries and there are quite a few changes across the PE sections and other data structures. it's very odd to me that the files are the exact same length but not contents.

I don't have time to go dig into this today, but it's possible that sigrok's site has been compromised and is serving malicious software. until further checks have been done, I wouldn't trust anything on there.

if someone wants to do some analysis: [snip]

Graham Sutherland / Polynomial (@[email protected])

update on the sigrok situation: the binaries almost certainly got corrupted during the data loss event that the hosting provider suffered, rather than being maliciously modified. there are strong indications that some of the data that got written into the binaries came from other tenants on the same hosting provider. the sigrok team are going to pull the downloads until clean backup copies can be verified and uploaded. thanks to everyone who took the time to look into this!

chaos.social
Show threadJernej Simončič �May 6, 2025
@gsuberland Might be just corruption? 7-zip complains about several files when trying to extract, while those files extract fine from web.archive.org version.
Show threadJernej Simončič �May 6, 2025
@gsuberland Trying to run the installer (in a VM) results in this:
Show threadGraham Sutherland / PolynomialMay 6, 2025
@jernej__s could be, especially if the data loss did corrupt some files. just kinda odd.
Show threademily, blinkenlight witchMay 6, 2025
@gsuberland @jernej__s okay i am now intrigued

other corrupted files from .../binary/pulseview specifically:
```
Binary files pulseview-0.4.1-32bit-static-release-installer.exe and ../official/sigrok.org/download/binary/pulseview/pulseview-0.4.1-32bit-static-release-installer.exe differ
Binary files pulseview-0.4.2-64bit-static-release-installer.exe and ../official/sigrok.org/download/binary/pulseview/pulseview-0.4.2-64bit-static-release-installer.exe differ
Binary files PulseView-0.4.2-i386.AppImage and ../official/sigrok.org/download/binary/pulseview/PulseView-0.4.2-i386.AppImage differ
```
Show threademily, blinkenlight witchMay 6, 2025
@gsuberland @jernej__s sigrok-cli-0.7.2-i386.AppImage has a lot going on, I've seen random garbage (the first one I looked at does not appear to be sensical IA-32 machine code), HTML, JSON, kernel logs, and some other sort of logs.

so currently it *looks* like random bits of server memory overwriting random bits of files

edit: I claimed most of what was overwritten was zeroes but I was looking at the files backwards, actually a lot of areas were overwritten *with* zeroes
Show threademily, blinkenlight witchMay 6, 2025
@gsuberland @jernej__s it's also a minecraft server!
Show threademily, blinkenlight witch
@gsuberland @jernej__s :)
May 6, 2025 at 10:17pmWeb