Recent changes to 85: Trailing Fake EOCD Causes Archive to be Interpreted as Empty in unzip 6.0https://sourceforge.net/p/infozip/bugs/85/Recent changes to 85: Trailing Fake EOCD Causes Archive to be Interpreted as Empty in unzip 6.0enTue, 24 Mar 2026 17:51:31 -0000#85 Trailing Fake EOCD Causes Archive to be Interpreted as Empty in unzip 6.0https://sourceforge.net/p/infozip/bugs/85/?limit=25#0bd8<div class="markdown_content"><p>Hey Ronish</p> <p>variations on this issue has been around for a while, but thanks for taking the time to formalise it in a ticket. Last one I heard of was embedding a complete zip file in the trailing zip comment.</p> <p>A use-case where this could be used is where the unzipping code works in streaming mode and walks the local directory entries in turn without bothering about the Central Dirsctory &amp; EOCD. In that case, the standard commandline tools would think this was a zip file with zero entries, but the streaming unzipper would see things differntly.</p></div>Paul MarquessTue, 24 Mar 2026 17:51:31 -0000https://sourceforge.net29c4048c6d5d55b2d71be84270a829698926e4ddTrailing Fake EOCD Causes Archive to be Interpreted as Empty in unzip 6.0https://sourceforge.net/p/infozip/bugs/85/<div class="markdown_content"><p>Severity: Medium (Integrity / Anti-forensics / Parser Differential)</p> <p>Affected Software:</p> <ul> <li>Info-ZIP UnZip 6.0 (confirmed)</li> <li>Other ZIP parsers using backward EOCD scanning (Python zipfile also affected)</li> </ul> <p>Summary:<br/> Appending a syntactically valid EOCD record (with zero entries) after the legitimate ZIP archive causes unzip 6.0 to select the fake EOCD during backward scanning.</p> <p>This results in the archive being interpreted as empty, despite containing valid files.</p> <p>Impact:</p> <ul> <li>Silent data integrity corruption</li> <li>Archive appears empty in listing tools</li> <li>Enables evasion of detection pipelines</li> <li>Enables inconsistent interpretation across tools</li> </ul> <p>Technical Details:</p> <ul> <li>unzip scans backward for EOCD signature</li> <li>It does not enforce that EOCD must terminate the archive</li> <li>Appended data is treated as valid search space</li> <li>First EOCD encountered is accepted without verifying:</li> <li>its relation to actual central directory</li> <li>file structure consistency</li> </ul> <p>Attack Construction:</p> <ol> <li>Create a valid ZIP archive</li> <li>Append arbitrary data after the archive 3. Embed a fake EOCD structure in appended data:</li> <li>zero entries</li> <li>empty central directory</li> <li>Ensure fake EOCD is found before the real EOCD during backward scan</li> </ol> <p>Observed Behavior:</p> <ul> <li>unzip -l → reports archive as empty</li> <li>zipinfo → shows 0 entries</li> <li>actual files remain present in archive</li> </ul> <p>Expected Behavior:</p> <ul> <li>EOCD must be validated against:</li> <li>archive size boundaries</li> <li>central directory location</li> <li>EOCD located outside valid archive region should be rejected</li> </ul> <p>Recommendation:</p> <ul> <li>Validate EOCD offset and central directory consistency</li> <li>Reject EOCD structures found in trailing data beyond archive bounds</li> <li>Enforce stricter structural integrity checks</li> </ul> <p>Disclosure Timeline:</p> <ul> <li>Discovery: 23/03/2026</li> <li>Report: 23/03/2026</li> </ul></div>Ronish BhattTue, 24 Mar 2026 15:09:00 -0000https://sourceforge.net3ac9d9d9f6498ff841ef1aa7d1a39dbaef8fffa1