enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #10943
[Bug 2119395] [NEW] CVE-2024-38474-regression.patch add an extra call to do_expand()
Public bug reported:
@see https://lists.apache.org/thread/x2mmhv2jykpsvxbhrxw3h4v2ffbsqck0
@see https://github.com/apache/httpd/blob/0c0a5a323b1b250f821e87ac6bc3953742fa4e2b/modules/mappers/mod_rewrite.c#L4489
if (!(p->flags & RULEFLAG_NOSUB)) {
int unsafe_qmark = -1;
if (p->flags & RULEFLAG_UNSAFE_ALLOW3F) {
newuri = do_expand(p->output, ctx, p, NULL, ctx->r->pool);
}
else {
newuri = do_expand(p->output, ctx, p, &unsafe_qmark, ctx->r->pool);
}
// ...
}
There is only ONE call to do_expand().
CVE-2024-38474-regression.patch add an EXTRA call do do_expand().
/* expand the result */
if (!(p->flags & RULEFLAG_NOSUB)) {
- newuri = do_expand(p->output, ctx, p);
+ newuri = do_expand(p->output, ctx, p, NULL); // THIS LINE SHOULD BE REMOVED
+ int unsafe_qmark = -1;
+
+ if (p->flags & RULEFLAG_UNSAFE_ALLOW3F) {
+ newuri = do_expand(p->output, ctx, p, NULL);
+ }
+ else {
+ newuri = do_expand(p->output, ctx, p, &unsafe_qmark);
+ }
rewritelog((r, 2, ctx->perdir, "rewrite '%s' -> '%s'", ctx->uri,
newuri));
When using with 'RewriteMap xxx "prg:/path/to/external-prg"', this cause the external-prg called twice, got unexpected result.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apache2-bin 2.4.58-1ubuntu8.7
ProcVersionSignature: Ubuntu 6.8.0-57.59-generic 6.8.12
Uname: Linux 6.8.0-57-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.8
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Sun Aug 3 17:32:16 2025
SourcePackage: apache2
UpgradeStatus: Upgraded to noble on 2025-04-16 (109 days ago)
** Affects: apache2 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug noble wayland-session
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2119395
Title:
CVE-2024-38474-regression.patch add an extra call to do_expand()
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2119395/+subscriptions