Ubuntu
apache2 package

mod_sed duplicates lines (in 2.4.29-1ubuntu4.24)

Bionic (18.04)
Bug #1979641

Bug #1979641 reported by Cyan on 2022-06-23

256

This bug affects 1 person

	Status	Importance	Assigned to
apache2 (Ubuntu)	Invalid	Undecided	Unassigned
Trusty	Fix Released	Undecided	Leonidas S. Barbosa
Xenial	Fix Released	Undecided	Leonidas S. Barbosa
Bionic	Fix Released	Undecided	Leonidas S. Barbosa

Bug Description

mod_sed can be used to modify content before it is sent back to the user, e.g. point URLs elsewhere.
This worked as expected in Ubuntu 18.04 up to and including version 2.4.29-1ubuntu4.23.
As of the Ubuntu 18.04 2.4.29-1ubuntu4.24 security update mod_sed now returns a mix of the original and modified content.

Example /tmp/apachemodsed/apache.conf:

ServerRoot "/tmp/apachemodsed"
PidFile "/tmp/apachemodsed/apache.pid"

    <Directory "/tmp/apachemodsed">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    HostnameLookups off
    LogLevel debug
    ErrorLog /tmp/apachemodsed/error.log
    CustomLog /tmp/apachemodsed/access.log "%t %h %u %U \"%r\" %D %>s %O"

    LoadModule authn_core_module /usr/lib/apache2/modules/mod_authn_core.so
    LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so
    LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so
    LoadModule sed_module /usr/lib/apache2/modules/mod_sed.so
    #LoadModule sed_module /tmp/apachemodsed/2.4.29-1ubuntu4.23/mod_sed.so

ServerName apachemodsed

Listen 1234

DocumentRoot /tmp/apachemodsed/

    <Location "/testfile">
        SetOutputFilter Sed
        OutputSed "s/two/four/"
    </Location>

Example /tmp/apachemodsed/testfile content:

    one
    two
    three

Run apache with:

apache2 -f /tmp/apachemodsed/apache.conf -X

Expected output (given in 2.4.29-1ubuntu4.23 and below):

    one
    four
    three

Actual output (in 2.4.29-1ubuntu4.24):

    one
    one
    four
    two
    three

If mod_sed is being used to adjust URLs in HTML, the duplication of lines will badly break the HTML and any embedded scripting.

The only changes listed in the changelog for 2.4.29-1ubuntu4.24 are security fixes.
My guess is that this issue was introduced by this security fix:

    * SECURITY UPDATE: Denial of service
      - debian/patches/CVE-2022-30522.patch: limit mod_sed
        memory use in modules/filters/mod_sec.c,
        modules/filters/sed1.c.
      - CVE-2022-30522

CVE References

2022-30522

Revision history for this message

Cyan (cyantechnology) wrote on 2022-06-23:

apache2.apport Edit (5.1 KiB, text/plain)

Revision history for this message

Leonidas S. Barbosa (leosilvab) wrote on 2022-06-23:

Thanks for report this issue. I'm working on a regression update asap.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2022-06-23:

I am making this report public as it may be affecting more users.

information type:

Private Security → Public Security

Marc Deslauriers (mdeslaur) on 2022-06-23

Changed in apache2 (Ubuntu Trusty):
status:	New → Confirmed
Changed in apache2 (Ubuntu Xenial):
status:	New → In Progress
Changed in apache2 (Ubuntu Trusty):
status:	Confirmed → In Progress
Changed in apache2 (Ubuntu Bionic):
status:	New → In Progress
Changed in apache2 (Ubuntu Trusty):
assignee:	nobody → Leonidas S. Barbosa (leosilvab)
Changed in apache2 (Ubuntu Xenial):
assignee:	nobody → Leonidas S. Barbosa (leosilvab)
Changed in apache2 (Ubuntu Bionic):
assignee:	nobody → Leonidas S. Barbosa (leosilvab)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-06-23:

This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.25

---------------
apache2 (2.4.29-1ubuntu4.25) bionic-security; urgency=medium

  * SECURITY REGRESSION: Previous fix for CVE-2022-30522 caused
    a regression
    - debian/patches/CVE-2022-30522.patch: removing line should be removed
      at the backport but was missing in modules/filters/sed1.c (LP: #1979641)

-- Leonidas Da Silva Barbosa <email address hidden> Thu, 23 Jun 2022 09:51:37 -0300

Changed in apache2 (Ubuntu Bionic):
status:	In Progress → Fix Released

Leonidas S. Barbosa (leosilvab) on 2022-06-24

Changed in apache2 (Ubuntu Xenial):
status:	In Progress → Fix Released
Changed in apache2 (Ubuntu Trusty):
status:	In Progress → Fix Released

Revision history for this message

Cyan (cyantechnology) wrote on 2022-06-24:

I can confirm that 2.4.29-1ubuntu4.25 fixes the mod_sed issue for my use case.
Many thanks for the swift resolution.

Revision history for this message

Paride Legovini (paride) wrote on 2022-06-27:

I'm setting the devel release task status to Invalid as this bug never affected an Ubuntu devel release.

Changed in apache2 (Ubuntu):
status:	New → Invalid

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

apache2.apport Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuapache2 package

mod_sed duplicates lines (in 2.4.29-1ubuntu4.24)

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
apache2 package