diff mbox series

[meta-python,kirkstone,4/5] python3-ldap: patch CVE-2025-61912

Message ID 20260113063546.1497839-4-skandigraun@gmail.com
State New
Headers show
Series [meta-python,kirkstone,1/5] python3-eventlet: upgrade 0.33.0 -> 0.33.3 | expand

Commit Message

Gyorgy Sarvari Jan. 13, 2026, 6:35 a.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61912

Pick the patch that's mentioned by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python/python3-ldap/CVE-2025-61912.patch  | 42 +++++++++++++++++++
 .../python/python3-ldap_3.4.0.bb              |  3 +-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-devtools/python/python3-ldap/CVE-2025-61912.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-devtools/python/python3-ldap/CVE-2025-61912.patch b/meta-networking/recipes-devtools/python/python3-ldap/CVE-2025-61912.patch
new file mode 100644
index 0000000000..1e3940e662
--- /dev/null
+++ b/meta-networking/recipes-devtools/python/python3-ldap/CVE-2025-61912.patch
@@ -0,0 +1,42 @@ 
+From b80ba3e3b41859bfc79830b726e95e457502ca00 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <simon.pichugin@gmail.com>
+Date: Fri, 10 Oct 2025 10:46:45 -0700
+Subject: [PATCH] Merge commit from fork
+
+Update tests to expect \00 and verify RFC-compliant escaping
+
+CVE: CVE-2025-61912
+Upstream-Status: Backport [https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ Lib/ldap/dn.py     | 3 ++-
+ Tests/t_ldap_dn.py | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/Lib/ldap/dn.py b/Lib/ldap/dn.py
+index a9d9684..8d40673 100644
+--- a/Lib/ldap/dn.py
++++ b/Lib/ldap/dn.py
+@@ -26,7 +26,8 @@ def escape_dn_chars(s):
+     s = s.replace('>' ,'\\>')
+     s = s.replace(';' ,'\\;')
+     s = s.replace('=' ,'\\=')
+-    s = s.replace('\000' ,'\\\000')
++    # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00"
++    s = s.replace('\x00' ,'\\00')
+     if s[-1]==' ':
+       s = ''.join((s[:-1],'\\ '))
+     if s[0]=='#' or s[0]==' ':
+diff --git a/Tests/t_ldap_dn.py b/Tests/t_ldap_dn.py
+index 86d3640..7c04777 100644
+--- a/Tests/t_ldap_dn.py
++++ b/Tests/t_ldap_dn.py
+@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase):
+         self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ')
+         self.assertEqual(ldap.dn.escape_dn_chars('  '), '\\ \\ ')
+         self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ')
+-        self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), 'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\\x00\\"')
++        self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), r'f\+o\>o\,b\<a\;r\=\"\00\"')
+         self.assertEqual(ldap.dn.escape_dn_chars('foo\\,bar'), 'foo\\\\\\,bar')
+ 
+     def test_str2dn(self):
diff --git a/meta-networking/recipes-devtools/python/python3-ldap_3.4.0.bb b/meta-networking/recipes-devtools/python/python3-ldap_3.4.0.bb
index 59ced40021..b2361608aa 100644
--- a/meta-networking/recipes-devtools/python/python3-ldap_3.4.0.bb
+++ b/meta-networking/recipes-devtools/python/python3-ldap_3.4.0.bb
@@ -13,7 +13,8 @@  PYPI_PACKAGE = "python-ldap"
 
 inherit pypi setuptools3
 
-SRC_URI += "file://CVE-2025-61911.patch"
+SRC_URI += "file://CVE-2025-61911.patch \
+            file://CVE-2025-61912.patch"
 SRC_URI[sha256sum] = "60464c8fc25e71e0fd40449a24eae482dcd0fb7fcf823e7de627a6525b3e0d12"
 
 do_configure:prepend() {