Just because it's another slow news day, here's another interesting bit of obscure news. Researcher David Fifield created a new type of zip bomb that packs 4.5PB of uncompressed data into a 46MB base file. The whole concept of not unique, a zip file called 42.zip has floated around the web for years, that one packs 4.5PB of data into just 42KB.
But what makes the new effort unique is that it doesn't use recursion. The main implication here is that this new zip bomb will not be detected by current anti-virus software.
The reason zip bombs use recursion is because the DEFLATE algorithm used in ZIP parsers can’t achieve a compression ratio higher than 1032:1. If you want more compression than that, you have to recurse. Fifield discovered a way to bypass this limit. As he writes on his blog:
This article shows how to construct a non-recursive zip bomb whose compression ratio surpasses the DEFLATE limit of 1032. It works by overlapping files inside the zip container, in order to reference a “kernel” of highly compressed data in multiple files, without making multiple copies of it. The zip bomb’s output size grows quadratically in the input size; i.e., the compression ratio gets better as the bomb gets bigger. The construction depends on features of both zip and DEFLATE—it is not directly portable to other file formats or compression algorithms. It is compatible with most zip parsers, the exceptions being “streaming” parsers that parse in one pass without first consulting the zip file’s central directory.