enterprise-support team mailing list archive

Thread
Date

[Bug 2119395] [NEW] CVE-2024-38474-regression.patch add an extra call to do_expand()

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Guangyu He <2119395@xxxxxxxxxxxxxxxxxx>
Date: Sun, 03 Aug 2025 09:54:35 -0000
Reply-to: Bug 2119395 <2119395@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

@see https://lists.apache.org/thread/x2mmhv2jykpsvxbhrxw3h4v2ffbsqck0 
@see https://github.com/apache/httpd/blob/0c0a5a323b1b250f821e87ac6bc3953742fa4e2b/modules/mappers/mod_rewrite.c#L4489

if (!(p->flags & RULEFLAG_NOSUB)) {
        int unsafe_qmark = -1;

        if (p->flags & RULEFLAG_UNSAFE_ALLOW3F) {
            newuri = do_expand(p->output, ctx, p, NULL, ctx->r->pool);
        }
        else {
            newuri = do_expand(p->output, ctx, p, &unsafe_qmark, ctx->r->pool);
        }
        // ...
}

There is only ONE call to do_expand().

CVE-2024-38474-regression.patch add an EXTRA call do do_expand().

     /* expand the result */
     if (!(p->flags & RULEFLAG_NOSUB)) {
-        newuri = do_expand(p->output, ctx, p);
+        newuri = do_expand(p->output, ctx, p, NULL); // THIS LINE SHOULD BE REMOVED
+        int unsafe_qmark = -1;
+
+        if (p->flags & RULEFLAG_UNSAFE_ALLOW3F) {
+            newuri = do_expand(p->output, ctx, p, NULL);
+        }
+        else {
+            newuri = do_expand(p->output, ctx, p, &unsafe_qmark);
+        }
         rewritelog((r, 2, ctx->perdir, "rewrite '%s' -> '%s'", ctx->uri,
                     newuri));


When using with 'RewriteMap xxx "prg:/path/to/external-prg"', this cause the external-prg called twice, got unexpected result.

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apache2-bin 2.4.58-1ubuntu8.7
ProcVersionSignature: Ubuntu 6.8.0-57.59-generic 6.8.12
Uname: Linux 6.8.0-57-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.8
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Sun Aug  3 17:32:16 2025
SourcePackage: apache2
UpgradeStatus: Upgraded to noble on 2025-04-16 (109 days ago)

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug noble wayland-session

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2119395

Title:
  CVE-2024-38474-regression.patch add an extra call to do_expand()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2119395/+subscriptions

Follow ups

[Bug 2119395] Re: CVE-2024-38474-regression.patch add an extra call to do_expand()
From: Launchpad Bug Tracker, 2025-08-13