diff --git a/meta-networking/recipes-devtools/python/python3-ldap/CVE-2025-61912.patch b/meta-networking/recipes-devtools/python/python3-ldap/CVE-2025-61912.patch new file mode 100644 index 0000000000..1e3940e662 --- /dev/null +++ b/meta-networking/recipes-devtools/python/python3-ldap/CVE-2025-61912.patch @@ -0,0 +1,42 @@ +From b80ba3e3b41859bfc79830b726e95e457502ca00 Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Fri, 10 Oct 2025 10:46:45 -0700 +Subject: [PATCH] Merge commit from fork + +Update tests to expect \00 and verify RFC-compliant escaping + +CVE: CVE-2025-61912 +Upstream-Status: Backport [https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f] +Signed-off-by: Gyorgy Sarvari +--- + Lib/ldap/dn.py | 3 ++- + Tests/t_ldap_dn.py | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/Lib/ldap/dn.py b/Lib/ldap/dn.py +index a9d9684..8d40673 100644 +--- a/Lib/ldap/dn.py ++++ b/Lib/ldap/dn.py +@@ -26,7 +26,8 @@ def escape_dn_chars(s): + s = s.replace('>' ,'\\>') + s = s.replace(';' ,'\\;') + s = s.replace('=' ,'\\=') +- s = s.replace('\000' ,'\\\000') ++ # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00" ++ s = s.replace('\x00' ,'\\00') + if s[-1]==' ': + s = ''.join((s[:-1],'\\ ')) + if s[0]=='#' or s[0]==' ': +diff --git a/Tests/t_ldap_dn.py b/Tests/t_ldap_dn.py +index 86d3640..7c04777 100644 +--- a/Tests/t_ldap_dn.py ++++ b/Tests/t_ldap_dn.py +@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase): + self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ') + self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ \\ ') + self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ') +- self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,bo\\,b\\o,bo\,b\