Package: libldap-dev
Version: 2.6.10+dfsg-1
Severity: normal
Dear Maintainer,
While testing curl, we ran it against an LDAP server sending back crafted
contents. When doing this, we got OpenLDAP to abort due to an assert.
The fact that openldap aborts on an assert implies that the Debian build is a
debug one and not a release build, which seems wrong. A library should not
abort in production and the OpenLDAP library does not do that in release
builds.
The error is thus that Debian ships a debug build of OpenLDAP that gets used
in production by curl (and others).
This problem was originally reported against curl and there is a recipe and
lots of additional details here: https://hackerone.com/reports/3258022
The assert is probably an error too (but beside the point for this issue) and
I have reported it upstream to OpenLDAP here:
https://bugs.openldap.org/show_bug.cgi?id=10370
Thanks,
/ Daniel
-- System Information:
Debian Release: 13.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.27-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:
LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libldap-dev depends on:
ii libldap2 2.6.10+dfsg-1
libldap-dev recommends no packages.
libldap-dev suggests no packages.
-- no debconf information
--
/ daniel.haxx.se || https://rock-solid.curl.dev
