mod_sed duplicates lines (in 2.4.29-1ubuntu4.24)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Leonidas S. Barbosa | ||
Xenial |
Fix Released
|
Undecided
|
Leonidas S. Barbosa | ||
Bionic |
Fix Released
|
Undecided
|
Leonidas S. Barbosa |
Bug Description
mod_sed can be used to modify content before it is sent back to the user, e.g. point URLs elsewhere.
This worked as expected in Ubuntu 18.04 up to and including version 2.4.29-1ubuntu4.23.
As of the Ubuntu 18.04 2.4.29-1ubuntu4.24 security update mod_sed now returns a mix of the original and modified content.
Example /tmp/apachemods
ServerRoot "/tmp/apachemodsed"
PidFile "/tmp/apachemod
<Directory "/tmp/apachemod
Options Indexes FollowSymLinks
Require all granted
</Directory>
HostnameLookups off
LogLevel debug
ErrorLog /tmp/apachemods
CustomLog /tmp/apachemods
LoadModule authn_core_module /usr/lib/
LoadModule authz_core_module /usr/lib/
LoadModule mpm_event_module /usr/lib/
LoadModule sed_module /usr/lib/
#LoadModule sed_module /tmp/apachemods
ServerName apachemodsed
Listen 1234
DocumentRoot /tmp/apachemodsed/
<Location "/testfile">
OutputSed "s/two/four/"
</Location>
Example /tmp/apachemods
one
two
three
Run apache with:
apache2 -f /tmp/apachemods
Expected output (given in 2.4.29-1ubuntu4.23 and below):
one
four
three
Actual output (in 2.4.29-
one
one
four
two
three
If mod_sed is being used to adjust URLs in HTML, the duplication of lines will badly break the HTML and any embedded scripting.
The only changes listed in the changelog for 2.4.29-1ubuntu4.24 are security fixes.
My guess is that this issue was introduced by this security fix:
* SECURITY UPDATE: Denial of service
- debian/
memory use in modules/
- CVE-2022-30522
CVE References
Changed in apache2 (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in apache2 (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in apache2 (Ubuntu Trusty): | |
status: | Confirmed → In Progress |
Changed in apache2 (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in apache2 (Ubuntu Trusty): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in apache2 (Ubuntu Xenial): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in apache2 (Ubuntu Bionic): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in apache2 (Ubuntu Xenial): | |
status: | In Progress → Fix Released |
Changed in apache2 (Ubuntu Trusty): | |
status: | In Progress → Fix Released |
Thanks for report this issue. I'm working on a regression update asap.