mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
python3-eventlet: patch CVE-2025-58068
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-58068 Pick the patch mentioned in the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
@@ -0,0 +1,41 @@
|
|||||||
|
From 4e151d13a160e4d2a98dc77d32e5c3fe2c42f2b9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: sebsrt <s@sebsrt.xyz>
|
||||||
|
Date: Mon, 11 Aug 2025 11:46:28 +0200
|
||||||
|
Subject: [PATCH] Fix request smuggling vulnerability by discarding trailers
|
||||||
|
(#1062)
|
||||||
|
|
||||||
|
The WSGI parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. This patch fix that by discarding trailers.
|
||||||
|
|
||||||
|
CVE: CVE-2025-58068
|
||||||
|
Upstream-Status: Backport [https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
eventlet/wsgi.py | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py
|
||||||
|
index 7ef0254..fb0d805 100644
|
||||||
|
--- a/eventlet/wsgi.py
|
||||||
|
+++ b/eventlet/wsgi.py
|
||||||
|
@@ -154,6 +154,12 @@ class Input(object):
|
||||||
|
read = b''
|
||||||
|
self.position += len(read)
|
||||||
|
return read
|
||||||
|
+
|
||||||
|
+ def _discard_trailers(self, rfile):
|
||||||
|
+ while True:
|
||||||
|
+ line = rfile.readline()
|
||||||
|
+ if not line or line in (b'\r\n', b'\n', b''):
|
||||||
|
+ break
|
||||||
|
|
||||||
|
def _chunked_read(self, rfile, length=None, use_readline=False):
|
||||||
|
if self.should_send_hundred_continue:
|
||||||
|
@@ -204,7 +210,7 @@ class Input(object):
|
||||||
|
raise ChunkReadError(err)
|
||||||
|
self.position = 0
|
||||||
|
if self.chunk_length == 0:
|
||||||
|
- rfile.readline()
|
||||||
|
+ self._discard_trailers(rfile)
|
||||||
|
except greenio.SSL.ZeroReturnError:
|
||||||
|
pass
|
||||||
|
return b''.join(response)
|
||||||
@@ -4,6 +4,7 @@ SECTION = "devel/python"
|
|||||||
LICENSE = "MIT"
|
LICENSE = "MIT"
|
||||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=56472ad6de4caf50e05332a34b66e778"
|
LIC_FILES_CHKSUM = "file://LICENSE;md5=56472ad6de4caf50e05332a34b66e778"
|
||||||
|
|
||||||
|
SRC_URI += "file://CVE-2025-58068.patch"
|
||||||
SRC_URI[sha256sum] = "722803e7eadff295347539da363d68ae155b8b26ae6a634474d0a920be73cfda"
|
SRC_URI[sha256sum] = "722803e7eadff295347539da363d68ae155b8b26ae6a634474d0a920be73cfda"
|
||||||
|
|
||||||
inherit pypi setuptools3
|
inherit pypi setuptools3
|
||||||
|
|||||||
Reference in New Issue
Block a user