Menu

#16 Identical Hashes Matched Regardless of Blocksize

v1.0_(example)
pending
None
5
2014-10-16
2014-10-16
No

If two known files have the same hash, they are given a match score of 100, regardless of their block size. Here's an example, comparing the output of v2.11.1 with v2.9:

We compute the hash of some file, alpha, and then duplicate it's value, but changing the block size to half its value:

$ cat known.txt
ssdeep,1.1--blocksize:hash:hash,filename
24576:8obBaE9mvOeItYe8xGfkOI9emYzHEsXlmUYiaynYOBKPV/7AO07kSYG0nD4Q:vmOeIKe0G8Ze2sVdqynYOUPVUQ7NsQ,"alpha"
12288:8obBaE9mvOeItYe8xGfkOI9emYzHEsXlmUYiaynYOBKPV/7AO07kSYG0nD4Q:vmOeIKe0G8Ze2sVdqynYOUPVUQ7NsQ,"beta"

Note how the current ssdeep matches them:

$ ssdeep -ax known.txt
known.txt:alpha matches known.txt:beta (100)

known.txt:beta matches known.txt:alpha (100)

But an older version does not:

$ ./ssdeep-2.9 -ax known.txt
known.txt:alpha matches known.txt:beta (0)

known.txt:beta matches known.txt:alpha (0)

This issue was originally reported by Tsukasa, li@livegrid[.]org

Discussion

  • Jesse Kornblum

    Jesse Kornblum - 2014-10-16

    A fix for this issue has been checked into SVN.

     
  • Jesse Kornblum

    Jesse Kornblum - 2014-10-16
    • status: open --> pending