Skip to content

Commit 56841b5

Browse files
azurelinux-securityBinduSri-6522866
azurelinux-security
and
BinduSri-6522866
authored
[AutoPR- Security] Patch cmake for CVE-2025-14017 [MEDIUM] (#15475)
Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
1 parent b57b278 commit 56841b5

4 files changed

Lines changed: 126 additions & 5 deletions

File tree

SPECS/cmake/CVE-2025-14017.patch

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
From 1d14696f2939b065332bcd54a42fbac46bee9ff5 Mon Sep 17 00:00:00 2001
2+
From: AllSpark <allspark@microsoft.com>
3+
Date: Fri, 9 Jan 2026 04:45:45 +0000
4+
Subject: [PATCH] ldap: call ldap_init() before setting the options
5+
6+
Closes #19830
7+
8+
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
9+
Upstream-reference: AI Backport of https://github.com/curl/curl/commit/39d1976b7f709a516e324333.patch
10+
---
11+
Utilities/cmcurl/lib/ldap.c | 49 ++++++++++++++-----------------------
12+
1 file changed, 19 insertions(+), 30 deletions(-)
13+
14+
diff --git a/Utilities/cmcurl/lib/ldap.c b/Utilities/cmcurl/lib/ldap.c
15+
index 678b4d5a..b664e991 100644
16+
--- a/Utilities/cmcurl/lib/ldap.c
17+
+++ b/Utilities/cmcurl/lib/ldap.c
18+
@@ -364,16 +364,29 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
19+
passwd = conn->passwd;
20+
}
21+
22+
+#ifdef USE_WIN32_LDAP
23+
+ if(ldap_ssl)
24+
+ server = ldap_sslinit(host, conn->primary.remote_port, 1);
25+
+ else
26+
+#else
27+
+ server = ldap_init(host, conn->primary.remote_port);
28+
+#endif
29+
+ if(!server) {
30+
+ failf(data, "LDAP: cannot setup connect to %s:%u",
31+
+ conn->host.dispname, conn->primary.remote_port);
32+
+ result = CURLE_COULDNT_CONNECT;
33+
+ goto quit;
34+
+ }
35+
+
36+
#ifdef LDAP_OPT_NETWORK_TIMEOUT
37+
- ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
38+
+ ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
39+
#endif
40+
- ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
41+
+ ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
42+
43+
if(ldap_ssl) {
44+
#ifdef HAVE_LDAP_SSL
45+
#ifdef USE_WIN32_LDAP
46+
/* Win32 LDAP SDK doesn't support insecure mode without CA! */
47+
- server = ldap_sslinit(host, conn->primary.remote_port, 1);
48+
ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
49+
#else
50+
int ldap_option;
51+
@@ -441,7 +454,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
52+
goto quit;
53+
}
54+
infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca);
55+
- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
56+
+ rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
57+
if(rc != LDAP_SUCCESS) {
58+
failf(data, "LDAP local: ERROR setting PEM CA cert: %s",
59+
ldap_err2string(rc));
60+
@@ -453,20 +466,13 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
61+
else
62+
ldap_option = LDAP_OPT_X_TLS_NEVER;
63+
64+
- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
65+
+ rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
66+
if(rc != LDAP_SUCCESS) {
67+
failf(data, "LDAP local: ERROR setting cert verify mode: %s",
68+
ldap_err2string(rc));
69+
result = CURLE_SSL_CERTPROBLEM;
70+
goto quit;
71+
}
72+
- server = ldap_init(host, conn->primary.remote_port);
73+
- if(!server) {
74+
- failf(data, "LDAP local: Cannot connect to %s:%u",
75+
- conn->host.dispname, conn->primary.remote_port);
76+
- result = CURLE_COULDNT_CONNECT;
77+
- goto quit;
78+
- }
79+
ldap_option = LDAP_OPT_X_TLS_HARD;
80+
rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option);
81+
if(rc != LDAP_SUCCESS) {
82+
@@ -475,15 +481,6 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
83+
result = CURLE_SSL_CERTPROBLEM;
84+
goto quit;
85+
}
86+
-/*
87+
- rc = ldap_start_tls_s(server, NULL, NULL);
88+
- if(rc != LDAP_SUCCESS) {
89+
- failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s",
90+
- ldap_err2string(rc));
91+
- result = CURLE_SSL_CERTPROBLEM;
92+
- goto quit;
93+
- }
94+
-*/
95+
#else
96+
(void)ldap_option;
97+
(void)ldap_ca;
98+
@@ -502,15 +499,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
99+
result = CURLE_NOT_BUILT_IN;
100+
goto quit;
101+
}
102+
- else {
103+
- server = ldap_init(host, conn->primary.remote_port);
104+
- if(!server) {
105+
- failf(data, "LDAP local: Cannot connect to %s:%u",
106+
- conn->host.dispname, conn->primary.remote_port);
107+
- result = CURLE_COULDNT_CONNECT;
108+
- goto quit;
109+
- }
110+
- }
111+
+
112+
#ifdef USE_WIN32_LDAP
113+
ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
114+
rc = ldap_win_bind(data, server, user, passwd);
115+
--
116+
2.45.4
117+

SPECS/cmake/cmake.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
Summary: Cmake
33
Name: cmake
44
Version: 3.30.3
5-
Release: 10%{?dist}
5+
Release: 11%{?dist}
66
License: BSD AND LGPLv2+
77
Vendor: Microsoft Corporation
88
Distribution: Azure Linux
@@ -32,6 +32,7 @@ Patch12: CVE-2025-5917.patch
3232
Patch13: CVE-2025-5918.patch
3333
Patch14: CVE-2025-9301.patch
3434
Patch15: CVE-2025-10148.patch
35+
Patch16: CVE-2025-14017.patch
3536

3637
BuildRequires: bzip2
3738
BuildRequires: bzip2-devel
@@ -112,6 +113,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
112113
%{_libdir}/rpm/macros.d/macros.cmake
113114

114115
%changelog
116+
* Fri Jan 09 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.30.3-11
117+
- Patch for CVE-2025-14017
118+
115119
* Sat Sep 13 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.30.3-10
116120
- Patch for CVE-2025-10148
117121

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,8 +51,8 @@ check-debuginfo-0.15.2-1.azl3.aarch64.rpm
5151
chkconfig-1.25-1.azl3.aarch64.rpm
5252
chkconfig-debuginfo-1.25-1.azl3.aarch64.rpm
5353
chkconfig-lang-1.25-1.azl3.aarch64.rpm
54-
cmake-3.30.3-10.azl3.aarch64.rpm
55-
cmake-debuginfo-3.30.3-10.azl3.aarch64.rpm
54+
cmake-3.30.3-11.azl3.aarch64.rpm
55+
cmake-debuginfo-3.30.3-11.azl3.aarch64.rpm
5656
coreutils-9.4-6.azl3.aarch64.rpm
5757
coreutils-debuginfo-9.4-6.azl3.aarch64.rpm
5858
coreutils-lang-9.4-6.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -54,8 +54,8 @@ check-debuginfo-0.15.2-1.azl3.x86_64.rpm
5454
chkconfig-1.25-1.azl3.x86_64.rpm
5555
chkconfig-debuginfo-1.25-1.azl3.x86_64.rpm
5656
chkconfig-lang-1.25-1.azl3.x86_64.rpm
57-
cmake-3.30.3-10.azl3.x86_64.rpm
58-
cmake-debuginfo-3.30.3-10.azl3.x86_64.rpm
57+
cmake-3.30.3-11.azl3.x86_64.rpm
58+
cmake-debuginfo-3.30.3-11.azl3.x86_64.rpm
5959
coreutils-9.4-6.azl3.x86_64.rpm
6060
coreutils-debuginfo-9.4-6.azl3.x86_64.rpm
6161
coreutils-lang-9.4-6.azl3.x86_64.rpm

0 commit comments

Comments
 (0)