1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109791: libldap-dev: The openldap library aborts with an assert on

    From Daniel Stenberg@21:1/5 to All on Wed Jul 23 23:10:01 2025
    Package: libldap-dev
    Version: 2.6.10+dfsg-1
    Severity: normal

    Dear Maintainer,

    While testing curl, we ran it against an LDAP server sending back crafted contents. When doing this, we got OpenLDAP to abort due to an assert.

    The fact that openldap aborts on an assert implies that the Debian build is a debug one and not a release build, which seems wrong. A library should not abort in production and the OpenLDAP library does not do that in release builds.

    The error is thus that Debian ships a debug build of OpenLDAP that gets used
    in production by curl (and others).

    This problem was originally reported against curl and there is a recipe and lots of additional details here: https://hackerone.com/reports/3258022

    The assert is probably an error too (but beside the point for this issue) and
    I have reported it upstream to OpenLDAP here: https://bugs.openldap.org/show_bug.cgi?id=10370

    Thanks,

    / Daniel

    -- System Information:
    Debian Release: 13.0
    APT prefers unstable
    APT policy: (500, 'unstable')
    Architecture: amd64 (x86_64)

    Kernel: Linux 6.12.27-amd64 (SMP w/24 CPU threads; PREEMPT)
    Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
    Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:
    LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages libldap-dev depends on:
    ii libldap2 2.6.10+dfsg-1

    libldap-dev recommends no packages.

    libldap-dev suggests no packages.

    -- no debconf information

    --

    / daniel.haxx.se || https://rock-solid.curl.dev

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ryan Tandy@21:1/5 to All on Thu Jul 24 07:00:01 2025
    Hello Daniel,

    NDEBUG was discussed a few years ago in <https://bugs.openldap.org/show_bug.cgi?id=8240>.

    The package is built with --enable-debug intentionally, so that users
    can enable debug logging if they need it. Some valuable diagnostics, for example TLS diagnostics, are only available via debug logging.

    I thought it was generally preferred from a security perspective to keep assert() enabled in production, so that programs fail fast rather than
    get into invalid states that might potentially be exploitable. I'm not
    sure whether Debian has any official guidance on this, but see for
    example <https://lists.debian.org/debian-devel/2013/02/msg00124.html>.

    thanks,
    Ryan

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Daniel Stenberg@21:1/5 to John Scott on Thu Jul 24 18:10:01 2025
    On Thu, 24 Jul 2025, John Scott wrote:

    In conclusion, it looks like upstream's default to build assertions in and it's not obvious if downstream distributors are supposed to pass --disable-debug explicitly.

    Given this information, it certainly seems like I made some wrong assumptions. If indeed OpenLDAP themselves do this (and ships with asserts aborting by default), then I think the problem (because I think it is a problem) is theirs to fix and not Debian's as I had presumed.

    Thanks,

    --

    / daniel.haxx.se

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)