Bug#781568: marked as done (libfuzzy2: incorrect comparison when comparing digests from relatively simple files)

[Debian Bug Tracking System]

Your message dated Wed, 17 Jun 2015 01:52:39 +0000
with message-id <e1z52wt-0008pe...@franck.debian.org>
and subject line Bug#781568: fixed in ssdeep 2.13-1
has caused the Debian Bug report #781568,
regarding libfuzzy2: incorrect comparison when comparing digests from 
relatively simple files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
781568: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781568
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libfuzzy2
Version: 2.12-1
Severity: important
Source: ssdeep
Tags: patch jessie

Dear Maintainer,

While I'm reviewing ssdeep source code as a new ssdeep developer,
I found several bugs including this. Because of this bug's severity and
Debian's freeze policy on Jessie, I want this bug to be reviewed and if
it's considered as RC, I'd like to contribute targeted patch to fix this
particular bug.

[TECH BACKGROUND]

A ssdeep digest consists of three parts:

* Block size
* First substring
* Second substring

For instance, "3:ubvcl+nz:uTcknzbn" can be splitted like this:

* Block size (3)
* First substring ("ubvcl+nz")
* Second substring ("uTcknzbn")

[BUG]

The bug is in fuzzy_compare function which will be used to compare
digests. This function is supposed to return 100 if given digests are
identical. However, this function actually returns 100 if the block size
and the first digest substring are identical. This means, even if second
digest substring is not identical, fuzzy_compare considers it is.

[REPRODUCTION]

I attached two files to reproduce this issue easily
(file1.gz and file2.gz).

| $ ssdeep -V
| 2.12
| $ /path/to/ssdeep-2.13-rc/ssdeep -V
| 2.13
| $
| $ gzip -d file1.gz
| $ gzip -d file2.gz
| $
| $ ssdeep -l file1 file2 | tee files.ssdeep
| ssdeep,1.1--blocksize:hash:hash,filename
| 3:urNZHi:0/C,"file1"
| 3:urNZHi:uJp,"file2"
| $
| $ ssdeep -a -k files.ssdeep -x files.ssdeep
| files.ssdeep:file1 matches files.ssdeep:file2 (100)
| files.ssdeep:file1 matches files.ssdeep:file2 (100)
|
| files.ssdeep:file2 matches files.ssdeep:file1 (100)
| files.ssdeep:file2 matches files.ssdeep:file1 (100)
|
| files.ssdeep:file1 matches files.ssdeep:file2 (100)
| files.ssdeep:file1 matches files.ssdeep:file2 (100)
|
| files.ssdeep:file2 matches files.ssdeep:file1 (100)
| files.ssdeep:file2 matches files.ssdeep:file1 (100)
|
| $ /path/to/ssdeep-2.13-rc/ssdeep -a -k files.ssdeep -x files.ssdeep
| files.ssdeep:file1 matches files.ssdeep:file2 (0)
| files.ssdeep:file1 matches files.ssdeep:file2 (0)
|
| files.ssdeep:file2 matches files.ssdeep:file1 (0)
| files.ssdeep:file2 matches files.ssdeep:file1 (0)
|
| files.ssdeep:file1 matches files.ssdeep:file2 (0)
| files.ssdeep:file1 matches files.ssdeep:file2 (0)
|
| files.ssdeep:file2 matches files.ssdeep:file1 (0)
| files.ssdeep:file2 matches files.ssdeep:file1 (0)
|
| $

As you can see, "file1" and "file2" digests are different
("3:urNZHi:0/C" and "3:urNZHi:uJp") but the block size and the first
substring are identical. Because ssdeep don't compare short substrings
(to prevent exaggrations), comparison should result in mismatch (0).
However, ssdeep 2.12 considers these digests are identical because of
the bug and results in complete match (100).

[SEVERITY]

Since it affects reliability of digest match and clustering features (I
mean most of ssdeep features) and this software is used for security
purposes, it may be release critical on Jessie.

[UPSTREAM]

Please note that this bug is fixed in version 2.13 RC and the new
release, version 2.13 will be released in a few weeks.



-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libfuzzy2 depends on:
ii  libc6              2.19-15
ii  multiarch-support  2.19-15

libfuzzy2 recommends no packages.

libfuzzy2 suggests no packages.

-- no debconf information


Description: Fix incorrect digest comparison from relatively simple files
 fuzzy_compare function is supposed to return 100 if given digests are
 identical. However, this function in version 2.12 returns 100 if
 the first substring is identical and second one is not.
 .
 This bug affects comparison of digests from relatively simple files.
 Since it's easy to reproduce, it affects reliability of this software.
Author: Tsukasa OI <l...@livegrid.org>
Applied-Upstream: 2.13-rc1, http://sourceforge.net/p/ssdeep/code/231/tree/
---

--- ssdeep-2.12.orig/fuzzy.c
+++ ssdeep-2.12/fuzzy.c
@@ -711,11 +711,8 @@ int fuzzy_compare(const char *str1, cons
     return -1;
   }
 
-  // Chop the first substring. We terminate the first substring
-  // and then advance the pointer to the start of the second substring.
-  *s1_2 = 0;
+  // Advance the pointer to the start of the second substring.
   s1_2++;
-  *s2_2 = 0;
   s2_2++;
 
   // Chop the second string at the comma--just before the filename.
@@ -741,6 +738,10 @@ int fuzzy_compare(const char *str1, cons
     }
   }
 
+  // Chop the first substring.
+  s1_2[-1] = 0;
+  s2_2[-1] = 0;
+
   // each signature has a string for two block sizes. We now
   // choose how to combine the two block sizes. We checked above
   // that they have at least one block size in common

file1.gz
Description: Binary data

file2.gz
Description: Binary data

--- End Message ---

--- Begin Message ---

Source: ssdeep
Source-Version: 2.13-1

We believe that the bug you reported is fixed in the latest version of
ssdeep, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 781...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joao Eriberto Mota Filho <eribe...@debian.org> (supplier of updated ssdeep 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 12 Jun 2015 18:19:28 -0300
Source: ssdeep
Binary: ssdeep libfuzzy2 libfuzzy2-dbg libfuzzy-dev
Architecture: source amd64
Version: 2.13-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Forensics <forensics-devel@lists.alioth.debian.org>
Changed-By: Joao Eriberto Mota Filho <eribe...@debian.org>
Description:
 libfuzzy-dev - recursive piecewise hashing tool (development headers)
 libfuzzy2  - recursive piecewise hashing tool (library)
 libfuzzy2-dbg - recursive piecewise hashing tool (debugging symbols)
 ssdeep     - recursive piecewise hashing tool
Closes: 703808 781568
Changes:
 ssdeep (2.13-1) experimental; urgency=medium
 .
   * Team upload.
   * New upstream release. (Closes: #703808, #781568)
   * debian/control:
       - Added the word 'forensics' to long description.
       - Updated the Vcs-* fields.
   * debian/copyright: full updated.
   * debian/libfuzzy2.docs: added to install the README file.
   * debian/libfuzzy2.symbols: updated.
   * debian/rules:
       - Added the variable DEB_BUILD_MAINT_OPTIONS to improve the GCC 
hardening.
       - Added the override_dh_installdocs target to install the 'NEWS' file in
         all binaries.
       - Removed the old-style definition about the LDFLAGS.
   * debian/watch: improved.
Checksums-Sha1:
 e5c222942142c788139d89121da41690cfa5e894 2035 ssdeep_2.13-1.dsc
 ccb4e2d53d90eb986d11df24b77179d5948fb257 380712 ssdeep_2.13.orig.tar.gz
 4634b73ef754a93ffcbaa295b6cf9f41d95042f6 4988 ssdeep_2.13-1.debian.tar.xz
 b6befbb634800f8c90dc34ec976af28ea06be13e 13320 libfuzzy-dev_2.13-1_amd64.deb
 d6db79e84da7f965424d90250a5b95febf85fd4f 178008 libfuzzy2-dbg_2.13-1_amd64.deb
 5442ad27305b70a6f3b73b333420cff861d2cdfe 18876 libfuzzy2_2.13-1_amd64.deb
 72d8554ddb656efe08142028597a7f787a991016 32104 ssdeep_2.13-1_amd64.deb
Checksums-Sha256:
 9ba5f2ef1eec4d5029434d897a942257c678068b482c3df038447b5a9bafbe22 2035 
ssdeep_2.13-1.dsc
 6e4ca94457cb50ff3343d4dd585473817a461a55a666da1c5a74667924f0f8c5 380712 
ssdeep_2.13.orig.tar.gz
 e5cef3e6a6789013fae693156a5567dbeaac3696634ca5d70803a1e9db58be46 4988 
ssdeep_2.13-1.debian.tar.xz
 8a15cbd58aa87ec8eb8874f992150f117a06c170325a54d825f2a86b11bc9b84 13320 
libfuzzy-dev_2.13-1_amd64.deb
 29ed837e1a4e9f585a525d7c43de6494017aa9cb8254785a3ebb07961aac9c21 178008 
libfuzzy2-dbg_2.13-1_amd64.deb
 04528d060cd478d3d29bcc9ca22bc3c630577949b85a3ed83e20e41717c67722 18876 
libfuzzy2_2.13-1_amd64.deb
 ed5517545a43c4707b74d945d5caa6dfb4dd2e894e9c85e97f07328f6740fba0 32104 
ssdeep_2.13-1_amd64.deb
Files:
 2587c3d59e999c1d7b7a2de6728fe196 2035 admin optional ssdeep_2.13-1.dsc
 7608b794ce6b25fae8bb1c2f4d35b2ad 380712 admin optional ssdeep_2.13.orig.tar.gz
 45334cf8ad8440ea032aa37663e3987a 4988 admin optional 
ssdeep_2.13-1.debian.tar.xz
 b0323f43d4a7930e16c8622f913e1665 13320 libdevel optional 
libfuzzy-dev_2.13-1_amd64.deb
 8ddfac87b69c33d3cee01578e0f2566d 178008 debug extra 
libfuzzy2-dbg_2.13-1_amd64.deb
 0ca54cfdd3a6a906b0be1716550da30b 18876 libs optional libfuzzy2_2.13-1_amd64.deb
 c3f877e597a0cdbeaa73388ea9514eb0 32104 admin optional ssdeep_2.13-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVf32AAAoJEN5juccE6+nvjxcP/3Eb8wkSv26QZ7yE+kqaX73i
O4ymykulzrJF4LUma5ZwnuEwnH99JoqUvdr/Pm/0apJC1Z/OD5MtXu/LgdNBn18B
1a2WH8xTg/5Nn3l9xJp0hFHyh5xSr3juc+SF0S2ivbPYZTaSMWbtwHVbDBDPrItS
JMOx57go/kznPN8goMJA5WffY9OQTJXW4evLhJBO4xxlYuK/lwSvyAsFX6qvJxuM
qIsPibNpnsV4zu6jLNHN/Ms/bHXKjxbypfhMbzgK6X5XpaR4BUGlFoZe/V+80Zsm
2b1nYaK4tzoNMvtnlWUs1r0Ziufha7b2GJVYxmiFXE+8CRHw1I/2StzhfCQwqU1S
cB8ebUR17Ts1DveSjefrcNM5LhwXB5s9Y5hK9Fye51hZKP/y2ezjmGlBuyYwhonn
qDwPVbyAmsaO64lq9SneWDXoOqfkgh7SCPh0wUbwY+bhcdEH5KP/US4l11Xt2HJ9
+36YbvlBLsB6O8h02KbmWqzL38RLo54xZpPuZQZd3f8YawuT5KZOBjR4dVGJA1Gy
JN/RzDl2g9l0V4m0IajphySPoWGihOctTIThCBNDxTcqfoWHJ/vcq9sKsqr9uFjf
hgDkXvl3dFtQnGMxJ0ONLSUAvFNyVse8l/WFl+7djiloIo13H68k1AkKWo44Skd4
XV1Yej2YdJ4Bg8J+jDvh
=CxHx
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
forensics-devel mailing list
forensics-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel