deepin-community · deepin-ci-robot · May 7, 2026 · May 7, 2026
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,17 @@
+python-ldap (3.4.4-1deepin2) unstable; urgency=medium
+
+  * Fix CVE-2025-61912: correctly escape null bytes in escape_dn_chars
+    according to RFC 4514 to prevent client-side denial of service.
+
+ -- deepin-ci-robot <packages@deepin.org>  Thu, 07 May 2026 20:02:44 +0800
+
+python-ldap (3.4.4-1deepin1) unstable; urgency=medium
+
+  * Fix CVE-2025-61911: enforce str type for escape_filter_chars to
+    prevent LDAP injection attacks via crafted list/dict objects.
+
+ -- deepin-ci-robot <packages@deepin.org>  Thu, 07 May 2026 19:58:16 +0800
+
 python-ldap (3.4.4-1) unstable; urgency=low
 
   * New upstream version 3.4.4

diff --git a/debian/patches/0003-CVE-2025-61911.patch b/debian/patches/0003-CVE-2025-61911.patch
@@ -0,0 +1,29 @@
+Index: github-python-ldap-scout/Lib/ldap/filter.py
+===================================================================
+--- github-python-ldap-scout.orig/Lib/ldap/filter.py
++++ github-python-ldap-scout/Lib/ldap/filter.py
+@@ -24,6 +24,8 @@ def escape_filter_chars(assertion_value,
+       If 1 all NON-ASCII chars are escaped.
+       If 2 all chars are escaped.
+   """
++  if not isinstance(assertion_value, str):
++    raise TypeError("assertion_value must be of type str.")
+   if escape_mode:
+     r = []
+     if escape_mode==1:
+Index: github-python-ldap-scout/Tests/t_ldap_filter.py
+===================================================================
+--- github-python-ldap-scout.orig/Tests/t_ldap_filter.py
++++ github-python-ldap-scout/Tests/t_ldap_filter.py
+@@ -50,6 +50,11 @@ class TestDN(unittest.TestCase):
+             r'\c3\a4\c3\b6\c3\bc\c3\84\c3\96\c3\9c\c3\9f'
+         )
+
++        with self.assertRaises(TypeError):
++            escape_filter_chars(["abc@*()/xyz"], escape_mode=1)
++        with self.assertRaises(TypeError):
++            escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1)
++
+     def test_escape_filter_chars_mode2(self):
+         """
+         test function escape_filter_chars() with escape_mode=2
diff --git a/debian/patches/0004-CVE-2025-61912.patch b/debian/patches/0004-CVE-2025-61912.patch
@@ -0,0 +1,27 @@
+Index: github-python-ldap-scout/Lib/ldap/dn.py
+===================================================================
+--- github-python-ldap-scout.orig/Lib/ldap/dn.py
++++ github-python-ldap-scout/Lib/ldap/dn.py
+@@ -26,7 +26,8 @@ def escape_dn_chars(s):
+     s = s.replace('>' ,'\\>')
+     s = s.replace(';' ,'\\;')
+     s = s.replace('=' ,'\\=')
+-    s = s.replace('\000' ,'\\\000')
++    # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\\00"
++    s = s.replace('\x00' ,'\\00')
+     if s[-1]==' ':
+       s = ''.join((s[:-1],'\\ '))
+     if s[0]=='#' or s[0]==' ':
+Index: github-python-ldap-scout/Tests/t_ldap_dn.py
+===================================================================
+--- github-python-ldap-scout.orig/Tests/t_ldap_dn.py
++++ github-python-ldap-scout/Tests/t_ldap_dn.py
+@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase):
+         self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ')
+         self.assertEqual(ldap.dn.escape_dn_chars('  '), '\\ \\ ')
+         self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ')
+-        self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), 'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\\x00\\"')
++        self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), r'f\+o\>o\,b\<a\;r\=\"\00\"')
+         self.assertEqual(ldap.dn.escape_dn_chars('foo\\,bar'), 'foo\\\\\\,bar')
+
+     def test_str2dn(self):
diff --git a/debian/patches/series b/debian/patches/series
@@ -1,2 +1,4 @@
 0001-Search-for-slapadd-in-sbin-path.patch
 0002-Use-local-objects.inv-in-intersphinx-mapping.patch
+0003-CVE-2025-61911.patch
+0004-CVE-2025-61912.patch