mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

python3-eventlet: patch CVE-2025-58068

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-58068

Pick the patch mentioned in the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Gyorgy Sarvari
2026-01-13 07:35:43 +01:00
parent a14d2e2df1
commit e07db81979
2 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch
+41
View File
@@ -0,0 +1,41 @@
From 4e151d13a160e4d2a98dc77d32e5c3fe2c42f2b9 Mon Sep 17 00:00:00 2001
From: sebsrt <s@sebsrt.xyz>
Date: Mon, 11 Aug 2025 11:46:28 +0200
Subject: [PATCH] Fix request smuggling vulnerability by discarding trailers
(#1062)
The WSGI parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. This patch fix that by discarding trailers.
CVE: CVE-2025-58068
Upstream-Status: Backport [https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
eventlet/wsgi.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py
index 7ef0254..fb0d805 100644
--- a/eventlet/wsgi.py
+++ b/eventlet/wsgi.py
@@ -154,6 +154,12 @@ class Input(object):
read = b''
self.position += len(read)
return read
+
+ def _discard_trailers(self, rfile):
+ while True:
+ line = rfile.readline()
+ if not line or line in (b'\r\n', b'\n', b''):
+ break
def _chunked_read(self, rfile, length=None, use_readline=False):
if self.should_send_hundred_continue:
@@ -204,7 +210,7 @@ class Input(object):
raise ChunkReadError(err)
self.position = 0
if self.chunk_length == 0:
- rfile.readline()
+ self._discard_trailers(rfile)
except greenio.SSL.ZeroReturnError:
pass
return b''.join(response)
meta-python/recipes-devtools/python/python3-eventlet_0.33.3.bb
+1
View File
@@ -4,6 +4,7 @@ SECTION = "devel/python"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=56472ad6de4caf50e05332a34b66e778"
SRC_URI += "file://CVE-2025-58068.patch"
SRC_URI[sha256sum] = "722803e7eadff295347539da363d68ae155b8b26ae6a634474d0a920be73cfda"
inherit pypi setuptools3