python3-eventlet: patch CVE-2025-58068

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-58068 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Ankur Tyagi <ankur.tyagi85@gmail.com> 2026-01-15 02:00:44 +1300
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-01-19 12:15:39 +0530
commit: 4441e16eb5d9e1244d44df27bef8261f6a269a4d (patch)
tree: 764173a9a43e44c64aa0980fafea48b626829e42 /meta-python/recipes-devtools/python/python3-eventlet
parent: 3fabe136d83e3085f77da218e9c618abcd9487fe (diff)
download: meta-openembedded-4441e16eb5d9e1244d44df27bef8261f6a269a4d.tar.gz
1 files changed, 42 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch b/meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch
new file mode 100644
index 0000000000..45dda012b6
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch
@@ -0,0 +1,42 @@
+From 2353500dc28eab63b47930851c75e9268a69ef1e Mon Sep 17 00:00:00 2001
+From: sebsrt <s@sebsrt.xyz>
+Date: Mon, 11 Aug 2025 11:46:28 +0200
+Subject: [PATCH] [SECURITY] Fix request smuggling vulnerability by discarding
+ trailers (#1062)
+The WSGI parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. This patch fix that by discarding trailers.
+CVE: CVE-2025-58068
+Upstream-Status: Backport [https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb]
+(cherry picked from commit 0bfebd1117d392559e25b4bfbfcc941754de88fb)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ eventlet/wsgi.py | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py
+index 3b530b18..28ad2666 100644
+--- a/eventlet/wsgi.py
+++ b/eventlet/wsgi.py
+@@ -153,6 +153,12 @@ class Input:
+             read = b''
+         self.position += len(read)
+         return read
+    
+    def _discard_trailers(self, rfile):
+        while True:
+            line = rfile.readline()
+            if not line or line in (b'\r\n', b'\n', b''):
+                break
+ 
+     def _chunked_read(self, rfile, length=None, use_readline=False):
+         if self.should_send_hundred_continue:
+@@ -203,7 +209,7 @@ class Input:
+                         raise ChunkReadError(err)
+                     self.position = 0
+                     if self.chunk_length == 0:
+-                        rfile.readline()
+                        self._discard_trailers(rfile)
+         except greenio.SSL.ZeroReturnError:
+             pass
+         return b''.join(response)
author	Ankur Tyagi <ankur.tyagi85@gmail.com>	2026-01-15 02:00:44 +1300
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-19 12:15:39 +0530
commit	4441e16eb5d9e1244d44df27bef8261f6a269a4d (patch)
tree	764173a9a43e44c64aa0980fafea48b626829e42 /meta-python/recipes-devtools/python/python3-eventlet
parent	3fabe136d83e3085f77da218e9c618abcd9487fe (diff)
download	meta-openembedded-4441e16eb5d9e1244d44df27bef8261f6a269a4d.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch b/meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch new file mode 100644 index 0000000000..45dda012b6 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch
@@ -0,0 +1,42 @@
	1	From 2353500dc28eab63b47930851c75e9268a69ef1e Mon Sep 17 00:00:00 2001
	2	From: sebsrt <s@sebsrt.xyz>
	3	Date: Mon, 11 Aug 2025 11:46:28 +0200
	4	Subject: [PATCH] [SECURITY] Fix request smuggling vulnerability by discarding
	5	trailers (#1062)
	6
	7	The WSGI parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. This patch fix that by discarding trailers.
	8
	9	CVE: CVE-2025-58068
	10	Upstream-Status: Backport [https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb]
	11	(cherry picked from commit 0bfebd1117d392559e25b4bfbfcc941754de88fb)
	12	Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
	13	---
	14	eventlet/wsgi.py \| 8 +++++++-
	15	1 file changed, 7 insertions(+), 1 deletion(-)
	16
	17	diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py
	18	index 3b530b18..28ad2666 100644
	19	--- a/eventlet/wsgi.py
	20	+++ b/eventlet/wsgi.py
	21	@@ -153,6 +153,12 @@ class Input:
	22	read = b''
	23	self.position += len(read)
	24	return read
	25	+
	26	+ def _discard_trailers(self, rfile):
	27	+ while True:
	28	+ line = rfile.readline()
	29	+ if not line or line in (b'\r\n', b'\n', b''):
	30	+ break
	31
	32	def _chunked_read(self, rfile, length=None, use_readline=False):
	33	if self.should_send_hundred_continue:
	34	@@ -203,7 +209,7 @@ class Input:
	35	raise ChunkReadError(err)
	36	self.position = 0
	37	if self.chunk_length == 0:
	38	- rfile.readline()
	39	+ self._discard_trailers(rfile)
	40	except greenio.SSL.ZeroReturnError:
	41	pass
	42	return b''.join(response)