Malicious FreeNAS-11.0-U4.iso being served?

Status
Not open for further replies.

rgilbert

Cadet
Joined
Nov 22, 2017
Messages
2
Hi,

I downloaded FreeNAS-11.0-U4.iso from download.freenas.org. I randomly decided to do a SHA256 and found that the value did NOT match expected.

FreeNAS-11.0-U4.iso.sha256 states that the correct SHA256 is: 25b612ba7ef544af64094059aa87cefb69a34652aae19c51f816a49160b50919

However the one I downloaded is 4d29c3e259c3879d161b4e9f71aa16267cf97488478618c3df2a2e2b02e3d541

I copied the same download link and wget'd my Linode account, and it downloaded a version with the correct SHA of 25b612ba7ef544af64094059aa87cefb69a34652aae19c51f816a49160b50919. I copied it locally and found the same correct SHA.

I then used HxD to compare the binaries
  • They start differing at offset 0x113B994D
  • They end differing at offset 0x1295A614
Is one of the download mirrors serving a corrupt or malicious version of the ISO?

I am able to open both of them with 7zip.
 

rgilbert

Cadet
Joined
Nov 22, 2017
Messages
2
Okay doesn't seem malicious at quick glance. I unzipped the contents and narrowed down the only difference being in file base-os-11.0-U4-4ee20c34fd84cd863cc7642519a68e5f.tgz.

If I extract the one from bad SHA, 7zip says it's corrupt and doesn't extract everything. The one with the new SHA extracted successfully.

So seems more like corruption than malicious. I wonder if one of the mirrors is hosting a corrupted version of the file... or maybe it's just me?
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,061
Is this repeatable? If so, file a bug report and post the issue number here.
 
Status
Not open for further replies.
Top