File curl-CVE-2025-14017.patch of Package curl.42129
From 39d1976b7f709a516e3243338ebc0443bdd8d56d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 4 Dec 2025 00:14:20 +0100
Subject: [PATCH] ldap: call ldap_init() before setting the options
Closes #19830
---
lib/ldap.c | 50 +++++++++++++++++++-------------------------------
1 file changed, 19 insertions(+), 31 deletions(-)
Index: curl-8.14.1/lib/ldap.c
===================================================================
--- curl-8.14.1.orig/lib/ldap.c
+++ curl-8.14.1/lib/ldap.c
@@ -375,16 +375,29 @@ static CURLcode ldap_do(struct Curl_easy
passwd = conn->passwd;
}
+#ifdef USE_WIN32_LDAP
+ if(ldap_ssl)
+ server = ldap_sslinit(host, (curl_ldap_num_t)conn->primary.remote_port, 1);
+ else
+#else
+ server = ldap_init(host, (curl_ldap_num_t)conn->primary.remote_port);
+#endif
+ if(!server) {
+ failf(data, "LDAP local: Cannot connect to %s:%u",
+ conn->host.dispname, conn->primary.remote_port);
+ result = CURLE_COULDNT_CONNECT;
+ goto quit;
+ }
+
#ifdef LDAP_OPT_NETWORK_TIMEOUT
- ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
+ ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
#endif
- ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
+ ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
if(ldap_ssl) {
#ifdef HAVE_LDAP_SSL
#ifdef USE_WIN32_LDAP
/* Win32 LDAP SDK does not support insecure mode without CA! */
- server = ldap_sslinit(host, (curl_ldap_num_t)conn->primary.remote_port, 1);
ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
#else
int ldap_option;
@@ -404,7 +417,7 @@ static CURLcode ldap_do(struct Curl_easy
goto quit;
}
infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca);
- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
+ rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting PEM CA cert: %s",
ldap_err2string(rc));
@@ -416,20 +429,13 @@ static CURLcode ldap_do(struct Curl_easy
else
ldap_option = LDAP_OPT_X_TLS_NEVER;
- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
+ rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
if(rc != LDAP_SUCCESS) {
failf(data, "LDAP local: ERROR setting cert verify mode: %s",
ldap_err2string(rc));
result = CURLE_SSL_CERTPROBLEM;
goto quit;
}
- server = ldap_init(host, conn->primary.remote_port);
- if(!server) {
- failf(data, "LDAP local: Cannot connect to %s:%u",
- conn->host.dispname, conn->primary.remote_port);
- result = CURLE_COULDNT_CONNECT;
- goto quit;
- }
ldap_option = LDAP_OPT_X_TLS_HARD;
rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option);
if(rc != LDAP_SUCCESS) {
@@ -438,15 +444,6 @@ static CURLcode ldap_do(struct Curl_easy
result = CURLE_SSL_CERTPROBLEM;
goto quit;
}
-/*
- rc = ldap_start_tls_s(server, NULL, NULL);
- if(rc != LDAP_SUCCESS) {
- failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s",
- ldap_err2string(rc));
- result = CURLE_SSL_CERTPROBLEM;
- goto quit;
- }
-*/
#else
(void)ldap_option;
(void)ldap_ca;
@@ -465,15 +462,6 @@ static CURLcode ldap_do(struct Curl_easy
result = CURLE_NOT_BUILT_IN;
goto quit;
}
- else {
- server = ldap_init(host, (curl_ldap_num_t)conn->primary.remote_port);
- if(!server) {
- failf(data, "LDAP local: Cannot connect to %s:%u",
- conn->host.dispname, conn->primary.remote_port);
- result = CURLE_COULDNT_CONNECT;
- goto quit;
- }
- }
#ifdef USE_WIN32_LDAP
ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
rc = ldap_win_bind(data, server, user, passwd);
