diff --git a/debian/changelog b/debian/changelog index abaa11b..028b5a6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +python-ldap (3.4.4-1deepin2) unstable; urgency=medium + + * Fix CVE-2025-61912: correctly escape null bytes in escape_dn_chars + according to RFC 4514 to prevent client-side denial of service. + + -- deepin-ci-robot Thu, 07 May 2026 20:02:44 +0800 + +python-ldap (3.4.4-1deepin1) unstable; urgency=medium + + * Fix CVE-2025-61911: enforce str type for escape_filter_chars to + prevent LDAP injection attacks via crafted list/dict objects. + + -- deepin-ci-robot Thu, 07 May 2026 19:58:16 +0800 + python-ldap (3.4.4-1) unstable; urgency=low * New upstream version 3.4.4 diff --git a/debian/patches/0003-CVE-2025-61911.patch b/debian/patches/0003-CVE-2025-61911.patch new file mode 100644 index 0000000..5fdeab6 --- /dev/null +++ b/debian/patches/0003-CVE-2025-61911.patch @@ -0,0 +1,29 @@ +Index: github-python-ldap-scout/Lib/ldap/filter.py +=================================================================== +--- github-python-ldap-scout.orig/Lib/ldap/filter.py ++++ github-python-ldap-scout/Lib/ldap/filter.py +@@ -24,6 +24,8 @@ def escape_filter_chars(assertion_value, + If 1 all NON-ASCII chars are escaped. + If 2 all chars are escaped. + """ ++ if not isinstance(assertion_value, str): ++ raise TypeError("assertion_value must be of type str.") + if escape_mode: + r = [] + if escape_mode==1: +Index: github-python-ldap-scout/Tests/t_ldap_filter.py +=================================================================== +--- github-python-ldap-scout.orig/Tests/t_ldap_filter.py ++++ github-python-ldap-scout/Tests/t_ldap_filter.py +@@ -50,6 +50,11 @@ class TestDN(unittest.TestCase): + r'\c3\a4\c3\b6\c3\bc\c3\84\c3\96\c3\9c\c3\9f' + ) + ++ with self.assertRaises(TypeError): ++ escape_filter_chars(["abc@*()/xyz"], escape_mode=1) ++ with self.assertRaises(TypeError): ++ escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1) ++ + def test_escape_filter_chars_mode2(self): + """ + test function escape_filter_chars() with escape_mode=2 diff --git a/debian/patches/0004-CVE-2025-61912.patch b/debian/patches/0004-CVE-2025-61912.patch new file mode 100644 index 0000000..fe457e1 --- /dev/null +++ b/debian/patches/0004-CVE-2025-61912.patch @@ -0,0 +1,27 @@ +Index: github-python-ldap-scout/Lib/ldap/dn.py +=================================================================== +--- github-python-ldap-scout.orig/Lib/ldap/dn.py ++++ github-python-ldap-scout/Lib/ldap/dn.py +@@ -26,7 +26,8 @@ def escape_dn_chars(s): + s = s.replace('>' ,'\\>') + s = s.replace(';' ,'\\;') + s = s.replace('=' ,'\\=') +- s = s.replace('\000' ,'\\\000') ++ # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\\00" ++ s = s.replace('\x00' ,'\\00') + if s[-1]==' ': + s = ''.join((s[:-1],'\\ ')) + if s[0]=='#' or s[0]==' ': +Index: github-python-ldap-scout/Tests/t_ldap_dn.py +=================================================================== +--- github-python-ldap-scout.orig/Tests/t_ldap_dn.py ++++ github-python-ldap-scout/Tests/t_ldap_dn.py +@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase): + self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ') + self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ \\ ') + self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ') +- self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,bo\\,b\\o,bo\,b\