From a9478b74427d11623f02e2ff56d5b51eb5166593 Mon Sep 17 00:00:00 2001
From: lizhipeng <lizhipeng@kylinos.cn>
Date: Mon, 13 Oct 2025 16:58:10 +0800
Subject: [PATCH] fix CVE-2025-61911

Signed-off-by: lizhipeng <lizhipeng@kylinos.cn>
(cherry picked from commit 969ceb86efa479eb75301f545827714c510295e6)
---
 backport-CVE-2025-61911.patch | 38 +++++++++++++++++++++++++++++++++++
 python-ldap.spec              |  9 ++++++++-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-61911.patch

diff --git a/backport-CVE-2025-61911.patch b/backport-CVE-2025-61911.patch
new file mode 100644
index 0000000..9c4e8a0
--- /dev/null
+++ b/backport-CVE-2025-61911.patch
@@ -0,0 +1,38 @@
+From 3957526fb1852e84b90f423d9fef34c7af25b85a Mon Sep 17 00:00:00 2001
+From: lukas-eu <62448426+lukas-eu@users.noreply.github.com>
+Date: Fri, 10 Oct 2025 19:47:46 +0200
+Subject: [PATCH] Merge commit from fork
+
+---
+ Lib/ldap/filter.py     | 2 ++
+ Tests/t_ldap_filter.py | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/Lib/ldap/filter.py b/Lib/ldap/filter.py
+index 782737aa..5bd41b21 100644
+--- a/Lib/ldap/filter.py
++++ b/Lib/ldap/filter.py
+@@ -24,6 +24,8 @@ def escape_filter_chars(assertion_value,escape_mode=0):
+       If 1 all NON-ASCII chars are escaped.
+       If 2 all chars are escaped.
+   """
++  if not isinstance(assertion_value, str):
++    raise TypeError("assertion_value must be of type str.")
+   if escape_mode:
+     r = []
+     if escape_mode==1:
+diff --git a/Tests/t_ldap_filter.py b/Tests/t_ldap_filter.py
+index 313b3733..54312050 100644
+--- a/Tests/t_ldap_filter.py
++++ b/Tests/t_ldap_filter.py
+@@ -49,6 +49,10 @@ def test_escape_filter_chars_mode1(self):
+             ),
+             r'\c3\a4\c3\b6\c3\bc\c3\84\c3\96\c3\9c\c3\9f'
+         )
++        with self.assertRaises(TypeError):
++            escape_filter_chars(["abc@*()/xyz"], escape_mode=1)
++        with self.assertRaises(TypeError):
++            escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1)
+ 
+     def test_escape_filter_chars_mode2(self):
+         """
diff --git a/python-ldap.spec b/python-ldap.spec
index 59b039e..fb57a46 100644
--- a/python-ldap.spec
+++ b/python-ldap.spec
@@ -1,10 +1,11 @@
 Name:		python-ldap
 Version:	3.4.4
-Release:	1
+Release:	2
 Summary:	An object-oriented API to access LDAP directory servers
 License:	Python-2.0
 URL:		http://python-ldap.org/
 Source0:	https://files.pythonhosted.org/packages/source/p/%{name}/%{name}-%{version}.tar.gz
+Patch0001:      backport-CVE-2025-61911.patch 
 
 BuildRequires:	gcc openldap-devel
 BuildRequires:  python3-devel python3-setuptools
@@ -55,6 +56,12 @@ sed -i 's,-Werror,-Wignore,g' tox.ini
 %doc CHANGES README TODO Demo
 
 %changelog
+* Mon Oct 13 2025 lizhipeng <lizhipeng@kylinos.cn> - 3.4.4-2 
+- Type: bugfix
+- ID: NA
+- SUG: NA
+- DESC: fix CVE-2025-61911
+
 * Thu Feb 1 2024 liubo <liubo335@huawei.com> - 3.4.4-1
 - Type: requirement
 - ID: NA
-- 
Gitee