Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61912
Pick the patch that's mentioned by the NVD advisory. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../python/python3-ldap/CVE-2025-61912.patch | 42 +++++++++++++++++++ .../python/python3-ldap_3.4.0.bb | 3 +- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-devtools/python/python3-ldap/CVE-2025-61912.patch diff --git a/meta-networking/recipes-devtools/python/python3-ldap/CVE-2025-61912.patch b/meta-networking/recipes-devtools/python/python3-ldap/CVE-2025-61912.patch new file mode 100644 index 0000000000..1e3940e662 --- /dev/null +++ b/meta-networking/recipes-devtools/python/python3-ldap/CVE-2025-61912.patch @@ -0,0 +1,42 @@ +From b80ba3e3b41859bfc79830b726e95e457502ca00 Mon Sep 17 00:00:00 2001 +From: Simon Pichugin <[email protected]> +Date: Fri, 10 Oct 2025 10:46:45 -0700 +Subject: [PATCH] Merge commit from fork + +Update tests to expect \00 and verify RFC-compliant escaping + +CVE: CVE-2025-61912 +Upstream-Status: Backport [https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + Lib/ldap/dn.py | 3 ++- + Tests/t_ldap_dn.py | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/Lib/ldap/dn.py b/Lib/ldap/dn.py +index a9d9684..8d40673 100644 +--- a/Lib/ldap/dn.py ++++ b/Lib/ldap/dn.py +@@ -26,7 +26,8 @@ def escape_dn_chars(s): + s = s.replace('>' ,'\\>') + s = s.replace(';' ,'\\;') + s = s.replace('=' ,'\\=') +- s = s.replace('\000' ,'\\\000') ++ # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00" ++ s = s.replace('\x00' ,'\\00') + if s[-1]==' ': + s = ''.join((s[:-1],'\\ ')) + if s[0]=='#' or s[0]==' ': +diff --git a/Tests/t_ldap_dn.py b/Tests/t_ldap_dn.py +index 86d3640..7c04777 100644 +--- a/Tests/t_ldap_dn.py ++++ b/Tests/t_ldap_dn.py +@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase): + self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ') + self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ \\ ') + self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ') +- self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), 'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\\x00\\"') ++ self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), r'f\+o\>o\,b\<a\;r\=\"\00\"') + self.assertEqual(ldap.dn.escape_dn_chars('foo\\,bar'), 'foo\\\\\\,bar') + + def test_str2dn(self): diff --git a/meta-networking/recipes-devtools/python/python3-ldap_3.4.0.bb b/meta-networking/recipes-devtools/python/python3-ldap_3.4.0.bb index 59ced40021..b2361608aa 100644 --- a/meta-networking/recipes-devtools/python/python3-ldap_3.4.0.bb +++ b/meta-networking/recipes-devtools/python/python3-ldap_3.4.0.bb @@ -13,7 +13,8 @@ PYPI_PACKAGE = "python-ldap" inherit pypi setuptools3 -SRC_URI += "file://CVE-2025-61911.patch" +SRC_URI += "file://CVE-2025-61911.patch \ + file://CVE-2025-61912.patch" SRC_URI[sha256sum] = "60464c8fc25e71e0fd40449a24eae482dcd0fb7fcf823e7de627a6525b3e0d12" do_configure:prepend() {
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123399): https://lists.openembedded.org/g/openembedded-devel/message/123399 Mute This Topic: https://lists.openembedded.org/mt/117239741/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
