Malicious FreeNAS-11.0-U4.iso being served?

[rgilbert]

Hi,

I downloaded FreeNAS-11.0-U4.iso from download.freenas.org. I randomly decided to do a SHA256 and found that the value did NOT match expected.

FreeNAS-11.0-U4.iso.sha256 states that the correct SHA256 is: 25b612ba7ef544af64094059aa87cefb69a34652aae19c51f816a49160b50919

However the one I downloaded is 4d29c3e259c3879d161b4e9f71aa16267cf97488478618c3df2a2e2b02e3d541

I copied the same download link and wget'd my Linode account, and it downloaded a version with the correct SHA of 25b612ba7ef544af64094059aa87cefb69a34652aae19c51f816a49160b50919. I copied it locally and found the same correct SHA.

I then used HxD to compare the binaries

• They start differing at offset 0x113B994D
• They end differing at offset 0x1295A614

Is one of the download mirrors serving a corrupt or malicious version of the ISO?

I am able to open both of them with 7zip.

 

[rgilbert]

Okay doesn't seem malicious at quick glance. I unzipped the contents and narrowed down the only difference being in file base-os-11.0-U4-4ee20c34fd84cd863cc7642519a68e5f.tgz.

If I extract the one from bad SHA, 7zip says it's corrupt and doesn't extract everything. The one with the new SHA extracted successfully.

So seems more like corruption than malicious. I wonder if one of the mirrors is hosting a corrupted version of the file... or maybe it's just me?

 

[Ericloewe]

Is this repeatable? If so, file a bug report and post the issue number here.