group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1979641] Re: mod_sed duplicates lines (in 2.4.29-1ubuntu4.24)

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Paride Legovini <1979641@xxxxxxxxxxxxxxxxxx>
Date: Mon, 27 Jun 2022 11:01:24 -0000
Reply-to: Bug 1979641 <1979641@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

I'm setting the devel release task status to Invalid as this bug never
affected an Ubuntu devel release.

** Changed in: apache2 (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1979641

Title:
  mod_sed duplicates lines (in 2.4.29-1ubuntu4.24)

Status in apache2 package in Ubuntu:
  Invalid
Status in apache2 source package in Trusty:
  Fix Released
Status in apache2 source package in Xenial:
  Fix Released
Status in apache2 source package in Bionic:
  Fix Released

Bug description:
  mod_sed can be used to modify content before it is sent back to the user, e.g. point URLs elsewhere.
  This worked as expected in Ubuntu 18.04 up to and including version 2.4.29-1ubuntu4.23.
  As of the Ubuntu 18.04 2.4.29-1ubuntu4.24 security update mod_sed now returns a mix of the original and modified content.

  Example /tmp/apachemodsed/apache.conf:

      ServerRoot              "/tmp/apachemodsed"
      PidFile                 "/tmp/apachemodsed/apache.pid"

      <Directory "/tmp/apachemodsed">
          Options Indexes FollowSymLinks
          AllowOverride None
          Require all granted
      </Directory>

      HostnameLookups off
      LogLevel        debug
      ErrorLog        /tmp/apachemodsed/error.log
      CustomLog       /tmp/apachemodsed/access.log "%t %h %u %U \"%r\" %D %>s %O"

      LoadModule authn_core_module    /usr/lib/apache2/modules/mod_authn_core.so
      LoadModule authz_core_module    /usr/lib/apache2/modules/mod_authz_core.so
      LoadModule mpm_event_module     /usr/lib/apache2/modules/mod_mpm_event.so
      LoadModule sed_module           /usr/lib/apache2/modules/mod_sed.so
      #LoadModule sed_module           /tmp/apachemodsed/2.4.29-1ubuntu4.23/mod_sed.so

      ServerName apachemodsed

      Listen 1234

      DocumentRoot            /tmp/apachemodsed/

      <Location "/testfile">
          SetOutputFilter Sed
          OutputSed "s/two/four/"
      </Location>

  Example /tmp/apachemodsed/testfile content:

      one
      two
      three

  Run apache with:

      apache2 -f /tmp/apachemodsed/apache.conf -X

  Expected output (given in 2.4.29-1ubuntu4.23 and below):

      one
      four
      three

  Actual output (in 2.4.29-1ubuntu4.24):

      one
      one
      four
      two
      three

  If mod_sed is being used to adjust URLs in HTML, the duplication of
  lines will badly break the HTML and any embedded scripting.

  The only changes listed in the changelog for 2.4.29-1ubuntu4.24 are security fixes.
  My guess is that this issue was introduced by this security fix:

      * SECURITY UPDATE: Denial of service
        - debian/patches/CVE-2022-30522.patch: limit mod_sed
          memory use in modules/filters/mod_sec.c,
          modules/filters/sed1.c.
        - CVE-2022-30522

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1979641/+subscriptions