A Better Zip Bomb

https://www.bamsoftware.com/hacks/zipbomb/

35•kekqqq•1h ago

Comments

kleiba•37m ago

In one of my previous jobs, I got laid off in the most condescending way, only to be asked days later by my former boss to send her some documents. If only I knew about this then...

colechristensen•14m ago

Don't commit felonies because you're unhappy with your former employer.

cuechan•31m ago

Is it possible to implement something similar but with a protocol that supports compression? Can we have a zip bomb but with a compressed http response that gets decompressed on the client? There are many protocols that support compression in some way.

542458•20m ago

Okay, so I know back in the day you could choke scanning software (ie email attachment scanners) by throwing a zip bomb into them. I believe the software has gotten smarter these days so it won’t simply crash when that happens - but how is this done; How does one detect a zip bomb?

danudey•17m ago

I don't understand the code itself, but here's Debian's patch to detect overlapping zip bombs in `unzip`:

https://sources.debian.org/patches/unzip/6.0-29/23-cve-2019-...

    The detection maintains a list of covered spans of the zip files
    so far, where the central directory to the end of the file and any
    bytes preceding the first entry at zip file offset zero are
    considered covered initially. Then as each entry is decompressed
    or tested, it is considered covered. When a new entry is about to
    be processed, its initial offset is checked to see if it is
    contained by a covered span. If so, the zip file is rejected as
    invalid.

So effectively it seems as though it just keeps track of which parts of the zip file have already been 'used', and if a new entry in the zip file starts in a 'used' section then it fails.

danudey•19m ago

Debian's `unzip` utility, which is based off of Info-ZIP but with a number of patches, errors out on overlapping files, though not before making a 21 MB file named `0` - presumably the only non-overlapping file.

    unzip zbsm.zip
    Archive:  zbsm.zip
      inflating: 0
    error: invalid zip file with overlapped components (possible zip bomb)

This seems to have been done in a patch to address https://nvd.nist.gov/vuln/detail/cve-2019-13232

https://sources.debian.org/patches/unzip/6.0-29/23-cve-2019-...

Unix v4 tape raw binary image recovered

Choosing the Right Python Docker Image for Finance Workloads

Reddit seems down following release of Epstein Files

Advancing Low-Light Raw Enhancement by Retasking Diffusion Models for Camera ISP

How we made SeaORM synchronous

U.S. strikes ISIS targets in Syria, after 2 soldiers and interpreter were killed

The most outlandish tech CEO quotes from 2025

Contra DSPy and GEPA

Show HN: Substats – Growth and revenue data on top Substacks

Show HN: Context Engine – open-source primitives for agent context management

Let's Build the GPT Tokenizer - Andrej Karpathy

Show HN: Prompt optimizer for vibe-coding with LLMs

What do people love about Rust?

Anthropic says AI sentiment is positive. Their data tells a different story

Notable Book Covers of 2025

Why You Should Never Again Utter The Word, “CIFS” (2012)

Growth of renewable energy is Science's 2025 Breakthrough of the Year

Epstein Files Released by DOJ

Transition of Adobe eBook Platform to Harman

Shriram Krishnamurthi's Pedagogy Recommendations

Epstein

Trust the Process

Trending Django Projects in 2025

EB1 visa gives some hope after H1B changes

Pound – Light-weight reverse proxy, load balancer and HTTPS front-end

Show HN: Merview – OSS Mermaid and Markdown Editor and Viewer

Ceratizit Agrees to Pay $54M to Settle Evaded Customs on PRC Tungsten Carbide

Show HN: ScreenCaptureKit-rs – Safe Rust bindings for macOS screen capture

Stanford computer science grads find their degrees no longer guarantee jobs

How to have polygenically screened children using IVF