mod_sed duplicates lines (in 2.4.29-1ubuntu4.24)

Bug #1979641 reported by Cyan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Invalid
Undecided
Unassigned
Trusty
Fix Released
Undecided
Leonidas S. Barbosa
Xenial
Fix Released
Undecided
Leonidas S. Barbosa
Bionic
Fix Released
Undecided
Leonidas S. Barbosa

Bug Description

mod_sed can be used to modify content before it is sent back to the user, e.g. point URLs elsewhere.
This worked as expected in Ubuntu 18.04 up to and including version 2.4.29-1ubuntu4.23.
As of the Ubuntu 18.04 2.4.29-1ubuntu4.24 security update mod_sed now returns a mix of the original and modified content.

Example /tmp/apachemodsed/apache.conf:

    ServerRoot "/tmp/apachemodsed"
    PidFile "/tmp/apachemodsed/apache.pid"

    <Directory "/tmp/apachemodsed">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    HostnameLookups off
    LogLevel debug
    ErrorLog /tmp/apachemodsed/error.log
    CustomLog /tmp/apachemodsed/access.log "%t %h %u %U \"%r\" %D %>s %O"

    LoadModule authn_core_module /usr/lib/apache2/modules/mod_authn_core.so
    LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so
    LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so
    LoadModule sed_module /usr/lib/apache2/modules/mod_sed.so
    #LoadModule sed_module /tmp/apachemodsed/2.4.29-1ubuntu4.23/mod_sed.so

    ServerName apachemodsed

    Listen 1234

    DocumentRoot /tmp/apachemodsed/

    <Location "/testfile">
        SetOutputFilter Sed
        OutputSed "s/two/four/"
    </Location>

Example /tmp/apachemodsed/testfile content:

    one
    two
    three

Run apache with:

    apache2 -f /tmp/apachemodsed/apache.conf -X

Expected output (given in 2.4.29-1ubuntu4.23 and below):

    one
    four
    three

Actual output (in 2.4.29-1ubuntu4.24):

    one
    one
    four
    two
    three

If mod_sed is being used to adjust URLs in HTML, the duplication of lines will badly break the HTML and any embedded scripting.

The only changes listed in the changelog for 2.4.29-1ubuntu4.24 are security fixes.
My guess is that this issue was introduced by this security fix:

    * SECURITY UPDATE: Denial of service
      - debian/patches/CVE-2022-30522.patch: limit mod_sed
        memory use in modules/filters/mod_sec.c,
        modules/filters/sed1.c.
      - CVE-2022-30522

CVE References

Revision history for this message
Cyan (cyantechnology) wrote :
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Thanks for report this issue. I'm working on a regression update asap.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I am making this report public as it may be affecting more users.

information type: Private Security → Public Security
Changed in apache2 (Ubuntu Trusty):
status: New → Confirmed
Changed in apache2 (Ubuntu Xenial):
status: New → In Progress
Changed in apache2 (Ubuntu Trusty):
status: Confirmed → In Progress
Changed in apache2 (Ubuntu Bionic):
status: New → In Progress
Changed in apache2 (Ubuntu Trusty):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in apache2 (Ubuntu Xenial):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in apache2 (Ubuntu Bionic):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.25

---------------
apache2 (2.4.29-1ubuntu4.25) bionic-security; urgency=medium

  * SECURITY REGRESSION: Previous fix for CVE-2022-30522 caused
    a regression
    - debian/patches/CVE-2022-30522.patch: removing line should be removed
      at the backport but was missing in modules/filters/sed1.c (LP: #1979641)

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 23 Jun 2022 09:51:37 -0300

Changed in apache2 (Ubuntu Bionic):
status: In Progress → Fix Released
Changed in apache2 (Ubuntu Xenial):
status: In Progress → Fix Released
Changed in apache2 (Ubuntu Trusty):
status: In Progress → Fix Released
Revision history for this message
Cyan (cyantechnology) wrote :

I can confirm that 2.4.29-1ubuntu4.25 fixes the mod_sed issue for my use case.
Many thanks for the swift resolution.

Revision history for this message
Paride Legovini (paride) wrote :

I'm setting the devel release task status to Invalid as this bug never affected an Ubuntu devel release.

Changed in apache2 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.