Libarchive Bsdtar Unbounded Memory Allocation Vulnerability in Substitution Processing

A denial-of-service vulnerability has been identified in libarchive's bsdtar component, prior to version 3.8.1. The issue arises in the 'apply_substitution' function within 'tar/subst.c', where crafted '-s' substitution rules can trigger an infinite loop. This loop occurs when the search pattern matches the empty string under global replacement, leading to unbounded memory growth and eventual out-of-memory crashes.

Impact

Exploitation of this vulnerability causes an infinite loop that consumes CPU resources and leads to out-of-memory conditions, crashing the process. This behavior can disrupt command-line workflows, continuous integration jobs, and server-side packaging services that use bsdtar. In privileged environments, repeated exploitation can degrade or terminate other co-located services.

Reproduction

The vulnerability can be reproduced by creating a directory or file with at least one item, then using bsdtar with the '-s' option to specify a substitution rule that includes an empty pattern or a pattern that matches the empty string, such as anchors or certain regular expressions, while the global flag is enabled. This will trigger the infinite loop in the 'apply_substitution' function.

Remediation

To address this vulnerability, the substitution processing code should be modified to prevent infinite loops caused by zero-length pattern matches. This can be done by breaking the loop for that rule or by ensuring that the input pointer advances after a match is found.