Bug 78454 - Chrome doesn't allow download of LibO .msi package claiming it's malicious
Summary: Chrome doesn't allow download of LibO .msi package claiming it's malicious
Status: RESOLVED NOTOURBUG
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: WWW (show other bugs)
Version:
(earliest affected)
4.1.6.2 release
Hardware: Other Windows (All)
: high critical
Assignee: Not Assigned
URL:
Whiteboard: BSA
Keywords: possibleRegression
: 78553 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-05-08 18:55 UTC by Anthony Gouldwell
Modified: 2015-12-15 10:54 UTC (History)
8 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Anthony Gouldwell 2014-05-08 18:55:45 UTC
Problem description: 
Chrome blocks installation claiming .msi file is malicious.
Steps to reproduce:
1. Open LibreOffice 
2. Click download icon in top right of splash page (hovering indicates: "LibreOffice Update available, Click the icon for more information,."
3. Window opened: "LibreOffice 4.2.4 is available. The installed version is LibreOffice 4.1.4.2." Click Download button.
4. Web page opened: http://www.libreoffice.org/download/libreoffice-fresh/?type=win-x86&lang=en-US&version=4.2.4
5. Click green button: "Download version 4.2.4"
6. Donation invitation page opened: http://donate.libreoffice.org/home/dl/win-x86/4.2.4/en-US/LibreOffice_4.2.4_Win_x86.msi
7. In bottom left corner, info box appears: "LibreOffice_4.2.4_Wi....msi  <XX changes progressively> MB, <XX likewise> mins left.
8. In bottom left corner, message appears: "LibreOfficew_4.2.4_Wi....msi is malicious and Chrome has blocked it."
9. Checking Chrome's customise icon > Downloads provides list of downloads topped by: "LibreOffice_4.2.4_Win_x86.msi is malicious and Chrome has blocked it."

QUESTION: is the Chrome warning indicating a genuine problem with the installation of 4.2.4, or do I need to find out how to adjust Chrome's security settings?

Current behavior:

Expected behavior:

              
Operating System: Windows 7
Version: 4.2.4.1 rc
Last worked in: 4.1.4.2 release
Comment 1 tommy27 2014-05-08 20:11:51 UTC
try 4.2.4.2 final released today
Comment 2 Julien Nabet 2014-05-11 12:49:48 UTC
*** Bug 78553 has been marked as a duplicate of this bug. ***
Comment 3 Julien Nabet 2014-05-11 12:50:15 UTC
Put it at New since there's a dup
Comment 4 tommy27 2014-05-11 14:21:42 UTC
so it seems Chrome doesn't block *installation* but rather *download* of the LibO install package.

the duplicate is moreover about 4.1.6.2 release so it seems it's a more general issue towards any LibO install package.

question now is: which side is the bug? problem inside LibO package or Google Chrome false positive?
Comment 5 retired 2014-05-11 14:42:30 UTC
setting to critical, since if people can't download LO via the most popular browser, is is very critical indeed.
Comment 6 Pierre Sundberg 2014-05-11 21:05:52 UTC
I can verify that Chrome (Version 34.0.1847.131 m) on Windows 7, marks all three available released versions currently availably from https://www.libreoffice.org/download/libreoffice-stable/#change as malicios, and is blocking them.

Released versions:
- 4.1.6
- 4.2.3
- 2.2.4
Comment 7 bfoman (inactive) 2014-06-20 17:54:58 UTC
NOTOURBUG candidate, but if every future download will be marked as malicious then TDF has problem with Google.
CCing QA people to take action if possible or escalate to ESC as this is not the first report about it.
Comment 8 Robinson Tryon (qubit) 2014-06-20 18:14:46 UTC
(In reply to comment #7)
> NOTOURBUG candidate, but if every future download will be marked as
> malicious then TDF has problem with Google.
> CCing QA people to take action if possible or escalate to ESC as this is not
> the first report about it.

We file whitelist requests with Symantec for our binaries, but for other such systems there's not always a way to request a whitelisting. If you're unsure about the validity of a TDF binary, please do check the signature to verify it's genuine, as we do sign all of our installers.

Thanks!

Resolving -> NOTOURBUG
Comment 9 Robinson Tryon (qubit) 2015-12-15 10:54:55 UTC
Migrating Whiteboard tags to Keywords: (possibleRegression)
[NinjaEdit]