Recent changes to 60: zip bomb and bzip2 compression

#60 zip bomb and bzip2 compression

Steven Schweda — Tue, 28 Dec 2021 05:43:52 -0000

I see that Mark Adler has addressed the zip bomb issue [...]

That code is incompatible with the LZMA and PPMd code in the current
development code, and it seems to have trouble with bzip2, too.

Adding this feature to UnZip (for all supported compression and
encryption schemes) is the current task, but I haven't had much time to
devote to it recently. Some progress is possible, however.

I would like an official organization and repository by product too,
to have a better development and contributions.

That might be nice.

#60 zip bomb and bzip2 compression

Neustradamus — Sun, 26 Dec 2021 19:58:22 -0000

I would like an official organization and repository by product too, to have a better development and contributions.

I think it is very important to do it quickly, we are in 2021, soon in 2022.

Linked to:
- https://sourceforge.net/p/infozip/feature-requests/8/
- https://sourceforge.net/p/infozip/bugs/60/
- https://sourceforge.net/p/infozip/bugs/66/

Note that Mark Adler has done a fork here:
- https://github.com/madler/unzip

zip bomb and bzip2 compression

Paul Marquess — Mon, 30 Sep 2019 08:25:22 -0000

I see that Mark Adler has addressed the zip bomb issue in https://github.com/madler/unzip, and not that Debian have foled these changes into their unzip (see here).

When testing Mark's fixed unzip with some zip files that use bzip2 compression, I notice that quite often I get the error "not enough memory for bomb detection".

Here is an example

$ zip -Z bzip2 lorem.zip lorem 
  adding: lorem (bzipped 31%)

$ ./unzip -t lorem.zip 
Archive:  lorem.zip
    testing: lorem                    OK
error: not enough memory for bomb detection
At least one error was detected in lorem.zip.

I've built unzip with the latest bzip2 sources (https://sourceware.org/pub/bzip2/bzip2-1.0.8.tar.gz).

Not sure if this is an issue with bzip2 or unzip.

Has anyone else noticed this?