File curl-CVE-2025-14017.patch of Package curl.42189
From 39d1976b7f709a516e3243338ebc0443bdd8d56d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 4 Dec 2025 00:14:20 +0100
Subject: [PATCH] ldap: call ldap_init() before setting the options
Closes #19830
---
lib/ldap.c | 50 +++++++++++++++++++-------------------------------
1 file changed, 19 insertions(+), 31 deletions(-)
Index: curl-7.37.0/lib/ldap.c
===================================================================
--- curl-7.37.0.orig/lib/ldap.c
+++ curl-7.37.0/lib/ldap.c
@@ -206,16 +206,29 @@ static CURLcode Curl_ldap(struct connect
infof(data, "LDAP local: trying to establish %s connection\n",
ldap_ssl ? "encrypted" : "cleartext");
+#ifdef CURL_LDAP_WIN
+ if(ldap_ssl)
+ server = ldap_sslinit(conn->host.name, (int)conn->port, 1);
+ else
+#else
+ server = ldap_init(conn->host.name, (int)conn->port);
+#endif
+ if(server == NULL) {
+ failf(data, "LDAP local: Cannot connect to %s:%ld",
+ conn->host.name, conn->port);
+ status = CURLE_COULDNT_CONNECT;
+ goto quit;
+ }
+
#ifdef LDAP_OPT_NETWORK_TIMEOUT
- ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
+ ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
#endif
- ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
+ ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
if(ldap_ssl) {
#ifdef HAVE_LDAP_SSL
#ifdef CURL_LDAP_WIN
/* Win32 LDAP SDK doesn't support insecure mode without CA! */
- server = ldap_sslinit(conn->host.name, (int)conn->port, 1);
ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
#else
int ldap_option;
@@ -283,7 +296,7 @@ static CURLcode Curl_ldap(struct connect
goto quit;
}
infof(data, "LDAP local: using PEM CA cert: %s\n", ldap_ca);
- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
+ rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting PEM CA cert: %s",
ldap_err2string(rc));
@@ -295,20 +308,13 @@ static CURLcode Curl_ldap(struct connect
else
ldap_option = LDAP_OPT_X_TLS_NEVER;
- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
+ rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting cert verify mode: %s",
ldap_err2string(rc));
status = CURLE_SSL_CERTPROBLEM;
goto quit;
}
- server = ldap_init(conn->host.name, (int)conn->port);
- if(server == NULL) {
- failf(data, "LDAP local: Cannot connect to %s:%ld",
- conn->host.name, conn->port);
- status = CURLE_COULDNT_CONNECT;
- goto quit;
- }
ldap_option = LDAP_OPT_X_TLS_HARD;
rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option);
if(rc != LDAP_SUCCESS) {
@@ -317,15 +323,6 @@ static CURLcode Curl_ldap(struct connect
status = CURLE_SSL_CERTPROBLEM;
goto quit;
}
-/*
- rc = ldap_start_tls_s(server, NULL, NULL);
- if(rc != LDAP_SUCCESS) {
- failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s",
- ldap_err2string(rc));
- status = CURLE_SSL_CERTPROBLEM;
- goto quit;
- }
-*/
#else
/* we should probably never come up to here since configure
should check in first place if we can support LDAP SSL/TLS */
@@ -337,15 +334,6 @@ static CURLcode Curl_ldap(struct connect
#endif
#endif /* CURL_LDAP_USE_SSL */
}
- else {
- server = ldap_init(conn->host.name, (int)conn->port);
- if(server == NULL) {
- failf(data, "LDAP local: Cannot connect to %s:%ld",
- conn->host.name, conn->port);
- status = CURLE_COULDNT_CONNECT;
- goto quit;
- }
- }
#ifdef CURL_LDAP_WIN
ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
#endif
