ZEROPACK v11.2.4

Release date: 18.05.2026

Added

• Terminal-aware layout rendering for the list command
• Platform-specific ioctl (TIOCGWINSZ) system calls for dynamic terminal size detection
• Environment variable fallback mechanism (COLUMNS) for non-interactive shells
• Optimal column truncating algorithm to adapt to terminal sizes

ZEROPACK 11.2.3

Release date: 17.05.2026

Security fixes

• [HIGH] Integer overflow in object bounds calculation (extract.rs)
  Object offset and length fields (stored as i64) were cast to usize
  directly without validation. A malformed or maliciously crafted archive could
  trigger a panic, silent wraparound on 32-bit platforms, or out-of-bounds reads
  against the memory-mapped container. All casts are now done via
  usize::try_from() with checked_add() on the result, followed by an
  explicit bounds check against the mmap size. Any invalid archive is rejected
  cleanly with an error message.

• [HIGH] Denial-of-service via oversized TOC (parse.rs)
  The TOC length field is a u32 read directly from the archive header. Nothing
  prevented a crafted file from declaring a 4 GB TOC, causing the process to
  attempt a single vec![0u8; 4_294_967_295] allocation and exhaust available
  memory. A hard soft-limit of 256 MB is now enforced. Archives exceeding this
  threshold are rejected with a clear error message. Legitimate oversized archives
  can still be processed by passing --force.

New flags

• --force — bypasses the TOC size safety limit for list and extract
  commands. Use only with archives from trusted sources.

Constants

• TOC_SIZE_LIMIT = 256 MB added to format.rs as a single tunable constant.

Compatibility

No changes to the binary container format. All existing .zp containers produced
by 11.x remain fully readable without modification.

ZEROPACK v11.2.2

Reviewed and polished the CLI UX logic.

Now:

[user@archlinux zeropack]$ ./zeropack_11.2.2_linux_amd64 
ZEROPACK v11.2.2
USAGE: zeropack <COMMAND> [OPTIONS]

COMMANDS:
    add             <DIR> <OUT>  [--password <PASS>]
    list            <FILE>       [--password <PASS>] [--filter <PATH>]
    pack, create    <DIR> <OUT>  [--password <PASS>]
    unpack, extract <FILE> <DIR> [--password <PASS>] [--filter <PATH>]
[user@archlinux zeropack]$ 

Before:

[user@archlinux zeropack]$ ./zeropack_11.2.1_linux_amd64 
ZEROPACK v11.2.1
Usage: <COMMAND> [OPTIONS]
add <input_dir> <output_file> [--password <pass>]
list <input_file> [--password <pass>] [--filter <path>]
pack <input_dir> <output_file> [--password <pass>]
create <input_dir> <output_file> [--password <pass>]
unpack <input_file> <output_dir> [--password <pass>] [--filter <path>]
extract <input_file> <output_dir> [--password <pass>] [--filter <path>]
[user@archlinux zeropack]$ 

ZEROPACK v11.2.1

add.rs now imports functions from other modules instead of copy-pasting them:

• compute_hmac, derive_master_key, derive_sub_key, encrypt_no_aad, HmacWriter, from crypto
• everything from format
• collect_files, encrypt_file_chunks, hash_file, insert_tree, uuid_no_dashes from pack
• parse_container from parse
• encrypt_tree from tree