group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1979641] Re: mod_sed duplicates lines (in 2.4.29-1ubuntu4.24)

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1979641@xxxxxxxxxxxxxxxxxx>
Date: Thu, 23 Jun 2022 20:25:03 -0000
Reply-to: Bug 1979641 <1979641@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.25

---------------
apache2 (2.4.29-1ubuntu4.25) bionic-security; urgency=medium

  * SECURITY REGRESSION: Previous fix for CVE-2022-30522 caused
    a regression
    - debian/patches/CVE-2022-30522.patch: removing line should be removed
      at the backport but was missing in modules/filters/sed1.c (LP: #1979641)

 -- Leonidas Da Silva Barbosa <leo.barbosa@xxxxxxxxxxxxx>  Thu, 23 Jun
2022 09:51:37 -0300

** Changed in: apache2 (Ubuntu Bionic)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-30522

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1979641

Title:
  mod_sed duplicates lines (in 2.4.29-1ubuntu4.24)

Status in apache2 package in Ubuntu:
  New
Status in apache2 source package in Trusty:
  In Progress
Status in apache2 source package in Xenial:
  In Progress
Status in apache2 source package in Bionic:
  Fix Released

Bug description:
  mod_sed can be used to modify content before it is sent back to the user, e.g. point URLs elsewhere.
  This worked as expected in Ubuntu 18.04 up to and including version 2.4.29-1ubuntu4.23.
  As of the Ubuntu 18.04 2.4.29-1ubuntu4.24 security update mod_sed now returns a mix of the original and modified content.

  Example /tmp/apachemodsed/apache.conf:

      ServerRoot              "/tmp/apachemodsed"
      PidFile                 "/tmp/apachemodsed/apache.pid"

      <Directory "/tmp/apachemodsed">
          Options Indexes FollowSymLinks
          AllowOverride None
          Require all granted
      </Directory>

      HostnameLookups off
      LogLevel        debug
      ErrorLog        /tmp/apachemodsed/error.log
      CustomLog       /tmp/apachemodsed/access.log "%t %h %u %U \"%r\" %D %>s %O"

      LoadModule authn_core_module    /usr/lib/apache2/modules/mod_authn_core.so
      LoadModule authz_core_module    /usr/lib/apache2/modules/mod_authz_core.so
      LoadModule mpm_event_module     /usr/lib/apache2/modules/mod_mpm_event.so
      LoadModule sed_module           /usr/lib/apache2/modules/mod_sed.so
      #LoadModule sed_module           /tmp/apachemodsed/2.4.29-1ubuntu4.23/mod_sed.so

      ServerName apachemodsed

      Listen 1234

      DocumentRoot            /tmp/apachemodsed/

      <Location "/testfile">
          SetOutputFilter Sed
          OutputSed "s/two/four/"
      </Location>

  Example /tmp/apachemodsed/testfile content:

      one
      two
      three

  Run apache with:

      apache2 -f /tmp/apachemodsed/apache.conf -X

  Expected output (given in 2.4.29-1ubuntu4.23 and below):

      one
      four
      three

  Actual output (in 2.4.29-1ubuntu4.24):

      one
      one
      four
      two
      three

  If mod_sed is being used to adjust URLs in HTML, the duplication of
  lines will badly break the HTML and any embedded scripting.

  The only changes listed in the changelog for 2.4.29-1ubuntu4.24 are security fixes.
  My guess is that this issue was introduced by this security fix:

      * SECURITY UPDATE: Denial of service
        - debian/patches/CVE-2022-30522.patch: limit mod_sed
          memory use in modules/filters/mod_sec.c,
          modules/filters/sed1.c.
        - CVE-2022-30522

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1979641/+subscriptions