PDA

View Full Version : LiveUpdate Issues


benjamin3
04-02-2015, 06:57 AM
I have released an update 5.1.0 build 3824 to better protect our users from any future dns hi-jacking attempts.

When preforming an update check the update check reply messages now include a digital signature, if the digital signature is missing or invalid then the server reply is discarded.

FlashFXP will only process the server reply if the digital signature can be verified.

After downloading the program updates additional checking is performed to ensure that the digital signature is owned by us, if the digital signature fails validation or doesn't match then the downloaded content is deleted.


hi , tried updating from build 3825 -> 3826 , it resulted 3times in a faulty download and then the resulting "incomplete download" window the button click doesnt work.

i tried then from a 2nd installation the downloaded update file :

sha1: DB50C3DD907A74B02ECE2DF9ACB0A760D35C224C
FlashFXP5_3826_Setup.exe

and manually point to portable installation folder of 3825 , tried to install "over" but resulted in still the same build 3825 , it seemed the installation just didnt overwrite the files. i remember you told once that that kind of setup file can also be used to install/manually update a portable installation.

i expect the 3826_setup.exe file (i just did a copy of this .exe file during updating my first 3824 build) to be the same update file like the plain normal standalone installer ,

what about the ability to have those build setup exe files in a sticky thread with proper md5/sha1 checksums , just to be sure ?

benjamin3
04-02-2015, 07:08 AM
for better understanding : http://i.snag.gy/5B1mG.jpg

that was the usual screen showing update avail from 3825 -> 3826 ... lets click download, and 3 times the download bar didnt properly finished, so i was afraid that the installer perhaps was compromised , but while reading your thread that you implemented the security check in 3824 i dont think that i have the wrong file.

to be 100% sure and not using a wrong 3825 .exe file , here's sha1 checksum of 3825 flashfxp.exe , can you confirm please ;-):

sha1 0A2CB5E2D6BA13B87504F47F3E39E449985F3C22 // FlashFXP.exe (3825 build)

i tested now again the live updater, and 3825->3826 now is proper downloaded, but mcafee recoqnized the first time in my life a buffer overflow for this kind of flashfxp update process. anyone else had this ? i ignored mcafee popup and continued to click "update" and update 3825->3826 went smooth.

http://i.snag.gy/bSf0s.jpg

the 3826 setup .exe which was downloaded into /cache directory has same sha1 checksum , so this looks fine

sha1: DB50C3DD907A74B02ECE2DF9ACB0A760D35C224C
FlashFXP5_3826_Setup.exe

what causes that buffer overflow, just wanted to report this

bigstar
04-02-2015, 07:55 AM
hi , tried updating from build 3825 -> 3826 , it resulted 3times in a faulty download and then the resulting "incomplete download" window the button click doesnt work.


I am looking into this issue, How much time has elapsed before the download fails with an error?


i tried then from a 2nd installation the downloaded update file :

sha1: DB50C3DD907A74B02ECE2DF9ACB0A760D35C224C
FlashFXP5_3826_Setup.exe

and manually point to portable installation folder of 3825 , tried to install "over" but resulted in still the same build 3825 , it seemed the installation just didnt overwrite the files. i remember you told once that that kind of setup file can also be used to install/manually update a portable installation.

i expect the 3826_setup.exe file (i just did a copy of this .exe file during updating my first 3824 build) to be the same update file like the plain normal standalone installer ,

Well I'm afraid you can't use the same installer for both, but you can use the program files installed by the standard installer, just copy over the files (i.e. flashfxp.exe, flashfxp.chm, etc) to the folder of your portable installation.



What about the ability to have those build setup exe files in a sticky thread with proper md5/sha1 checksums , just to be sure ?


I will see what I can do, an ideal solution would be one that could be automated, that way we can avoid human error on my part ;)

bigstar
04-02-2015, 01:18 PM
i tested now again the live updater, and 3825->3826 now is proper downloaded, but mcafee recoqnized the first time in my life a buffer overflow for this kind of flashfxp update process. anyone else had this ? i ignored mcafee popup and continued to click "update" and update 3825->3826 went smooth.At what specific moment did this appear?

And what specific mcafee product is that?

FlashFXP.exe v5.1.0 build 3825
SHA1: 0a2cb5e2d6ba13b87504f47f3e39e449985f3c22

FlashFXP.exe v5.1.0 build 3826
SHA1: 44370ab443976b314726095d2fe2c2b42276f6a6