[From nobody Tue Jun 23 00:35:08 2026
Received: (at submit) by bugs.debian.org; 23 Jul 2025 21:00:45 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.1 required=4.0 tests=BAYES_00,
 BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
 DKIM_VALID_EF,FOURLA,HAS_PACKAGE,SPF_HELO_PASS,SPF_PASS autolearn=ham
 autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 26; hammy, 150; neutral, 93; spammy,
 0. spammytokens: hammytokens:0.000-+--sk:taint_o, 0.000-+--sk:TAINT_O,
 0.000-+--sk:taint_u, 0.000-+--sk:TAINT_U, 0.000-+--apparmor
Return-path: &lt;daniel@haxx.se&gt;
Received: from silly.haxx.se ([2a02:750:7:3305::2aa]:57070)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;daniel@haxx.se&gt;) id 1uegZt-005wB0-2L
 for submit@bugs.debian.org; Wed, 23 Jul 2025 21:00:45 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=haxx.se; s=silly;
 t=1753303920; bh=shWm+Jh2UQcftXWADHXlH7qRcdYFwrt/0ICVECfPrvA=;
 h=Date:From:To:Subject:From;
 b=VAF+jN1wRC/2wxfF/XZDf4eAZSL+phNw2yNayfb4Dwb/4zavWKG7/3gZ0NOZ6PJei
 vOQeAjhMsosanw1LTdZWEOwCsi0/QiDCHUwSOa4XcV3zlguTPkUS1VKvFNZFaZJ0Vx
 TmwkGW5xdws8IBDknqRy1+MdwMIxp7ygGEALqLmPVfk/PKYegxC2yAk0SGJKsmg0Ul
 EVMFj4dE+pWApAX+s8OuvJyrne7HCdsW9RclZ7HmTxm7Srb5KcKMqR/6RYKej3q3Bj
 X87h0vn5whXNtwQUgvN1NbfMdlJjXXA0swDbvDJPYI9KZ/zFc37YTn8Hu/veQFCKfx
 VKq5Mh5oePCsg==
Received: by silly.haxx.se (Postfix, from userid 1001)
 id CACEB75B31; Wed, 23 Jul 2025 22:52:00 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by silly.haxx.se (Postfix) with ESMTP id CA13882496
 for &lt;submit@bugs.debian.org&gt;; Wed, 23 Jul 2025 22:52:00 +0200 (CEST)
Date: Wed, 23 Jul 2025 22:52:00 +0200 (CEST)
From: Daniel Stenberg &lt;daniel@haxx.se&gt;
To: Debian Bug Tracking System &lt;submit@bugs.debian.org&gt;
Subject: libldap-dev: The openldap library aborts with an assert on an error.
Message-ID: &lt;07ns4r2q-r05n-o5s7-72qs-9p7660oo6qrp@unkk.fr&gt;
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
X-Greylist: delayed 513 seconds by postgrey-1.37 at buxtehude;
 Wed, 23 Jul 2025 21:00:41 UTC
Delivered-To: submit@bugs.debian.org

Package: libldap-dev
Version: 2.6.10+dfsg-1
Severity: normal

Dear Maintainer,

While testing curl, we ran it against an LDAP server sending back crafted
contents. When doing this, we got OpenLDAP to abort due to an assert.

The fact that openldap aborts on an assert implies that the Debian build is a
debug one and not a release build, which seems wrong. A library should not
abort in production and the OpenLDAP library does not do that in release
builds.

The error is thus that Debian ships a debug build of OpenLDAP that gets used
in production by curl (and others).

This problem was originally reported against curl and there is a recipe and
lots of additional details here: https://hackerone.com/reports/3258022

The assert is probably an error too (but beside the point for this issue) and
I have reported it upstream to OpenLDAP here:
https://bugs.openldap.org/show_bug.cgi?id=10370

Thanks,

  / Daniel

-- System Information:
Debian Release: 13.0
   APT prefers unstable
   APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.27-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: 
LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libldap-dev depends on:
ii  libldap2  2.6.10+dfsg-1

libldap-dev recommends no packages.

libldap-dev suggests no packages.

-- no debconf information

-- 

  / daniel.haxx.se || https://rock-solid.curl.dev
]