From 56190a60bcccf282fff33353ec2fa1b47cc12f78 Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Thu, 7 May 2026 19:58:50 +0800 Subject: [PATCH 1/2] fix(python-ldap): CVE-2025-61911 Enforce str type for escape_filter_chars to prevent LDAP injection attacks via crafted list/dict objects. Upstream: https://github.com/python-ldap/python-ldap/commit/3957526fb1852e84b90f423d9fef34c7af25b85a Generated-By: glm-5.1 Co-Authored-By: hudeng --- debian/changelog | 7 ++++++ debian/patches/0003-CVE-2025-61911.patch | 29 ++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 37 insertions(+) create mode 100644 debian/patches/0003-CVE-2025-61911.patch diff --git a/debian/changelog b/debian/changelog index abaa11b..d49da2a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +python-ldap (3.4.4-1deepin1) unstable; urgency=medium + + * Fix CVE-2025-61911: enforce str type for escape_filter_chars to + prevent LDAP injection attacks via crafted list/dict objects. + + -- deepin-ci-robot Thu, 07 May 2026 19:58:16 +0800 + python-ldap (3.4.4-1) unstable; urgency=low * New upstream version 3.4.4 diff --git a/debian/patches/0003-CVE-2025-61911.patch b/debian/patches/0003-CVE-2025-61911.patch new file mode 100644 index 0000000..5fdeab6 --- /dev/null +++ b/debian/patches/0003-CVE-2025-61911.patch @@ -0,0 +1,29 @@ +Index: github-python-ldap-scout/Lib/ldap/filter.py +=================================================================== +--- github-python-ldap-scout.orig/Lib/ldap/filter.py ++++ github-python-ldap-scout/Lib/ldap/filter.py +@@ -24,6 +24,8 @@ def escape_filter_chars(assertion_value, + If 1 all NON-ASCII chars are escaped. + If 2 all chars are escaped. + """ ++ if not isinstance(assertion_value, str): ++ raise TypeError("assertion_value must be of type str.") + if escape_mode: + r = [] + if escape_mode==1: +Index: github-python-ldap-scout/Tests/t_ldap_filter.py +=================================================================== +--- github-python-ldap-scout.orig/Tests/t_ldap_filter.py ++++ github-python-ldap-scout/Tests/t_ldap_filter.py +@@ -50,6 +50,11 @@ class TestDN(unittest.TestCase): + r'\c3\a4\c3\b6\c3\bc\c3\84\c3\96\c3\9c\c3\9f' + ) + ++ with self.assertRaises(TypeError): ++ escape_filter_chars(["abc@*()/xyz"], escape_mode=1) ++ with self.assertRaises(TypeError): ++ escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1) ++ + def test_escape_filter_chars_mode2(self): + """ + test function escape_filter_chars() with escape_mode=2 diff --git a/debian/patches/series b/debian/patches/series index d4eba8d..a311a86 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 0001-Search-for-slapadd-in-sbin-path.patch 0002-Use-local-objects.inv-in-intersphinx-mapping.patch +0003-CVE-2025-61911.patch From ba722133bc18d0f1b4c557dfeae56157bb6295f3 Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Thu, 7 May 2026 20:03:13 +0800 Subject: [PATCH 2/2] fix(python-ldap): CVE-2025-61912 Correctly escape null bytes in escape_dn_chars according to RFC 4514 to prevent client-side denial of service. Upstream: https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f Generated-By: glm-5.1 Co-Authored-By: hudeng --- debian/changelog | 7 ++++++ debian/patches/0004-CVE-2025-61912.patch | 27 ++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 35 insertions(+) create mode 100644 debian/patches/0004-CVE-2025-61912.patch diff --git a/debian/changelog b/debian/changelog index d49da2a..028b5a6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +python-ldap (3.4.4-1deepin2) unstable; urgency=medium + + * Fix CVE-2025-61912: correctly escape null bytes in escape_dn_chars + according to RFC 4514 to prevent client-side denial of service. + + -- deepin-ci-robot Thu, 07 May 2026 20:02:44 +0800 + python-ldap (3.4.4-1deepin1) unstable; urgency=medium * Fix CVE-2025-61911: enforce str type for escape_filter_chars to diff --git a/debian/patches/0004-CVE-2025-61912.patch b/debian/patches/0004-CVE-2025-61912.patch new file mode 100644 index 0000000..fe457e1 --- /dev/null +++ b/debian/patches/0004-CVE-2025-61912.patch @@ -0,0 +1,27 @@ +Index: github-python-ldap-scout/Lib/ldap/dn.py +=================================================================== +--- github-python-ldap-scout.orig/Lib/ldap/dn.py ++++ github-python-ldap-scout/Lib/ldap/dn.py +@@ -26,7 +26,8 @@ def escape_dn_chars(s): + s = s.replace('>' ,'\\>') + s = s.replace(';' ,'\\;') + s = s.replace('=' ,'\\=') +- s = s.replace('\000' ,'\\\000') ++ # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\\00" ++ s = s.replace('\x00' ,'\\00') + if s[-1]==' ': + s = ''.join((s[:-1],'\\ ')) + if s[0]=='#' or s[0]==' ': +Index: github-python-ldap-scout/Tests/t_ldap_dn.py +=================================================================== +--- github-python-ldap-scout.orig/Tests/t_ldap_dn.py ++++ github-python-ldap-scout/Tests/t_ldap_dn.py +@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase): + self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ') + self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ \\ ') + self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ') +- self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,bo\\,b\\o,bo\,b\