diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-01-13 07:35:43 +0100 |
|---|---|---|
| committer | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-01-20 18:22:04 +0100 |
| commit | e07db81979c42150596ed328d3cf5c61f282a7fa (patch) | |
| tree | 1efb97e4ce3aacb35251b476f95a44f2f988dca7 /meta-python/recipes-devtools/python | |
| parent | a14d2e2df1ed4b793bcab9b5c2a1359eb6a26c47 (diff) | |
| download | meta-openembedded-e07db81979c42150596ed328d3cf5c61f282a7fa.tar.gz | |
python3-eventlet: patch CVE-2025-58068
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-58068
Pick the patch mentioned in the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Diffstat (limited to 'meta-python/recipes-devtools/python')
| -rw-r--r-- | meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch | 41 | ||||
| -rw-r--r-- | meta-python/recipes-devtools/python/python3-eventlet_0.33.3.bb | 1 |
2 files changed, 42 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch b/meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch new file mode 100644 index 0000000000..3fc7cb1b54 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | From 4e151d13a160e4d2a98dc77d32e5c3fe2c42f2b9 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: sebsrt <s@sebsrt.xyz> | ||
| 3 | Date: Mon, 11 Aug 2025 11:46:28 +0200 | ||
| 4 | Subject: [PATCH] Fix request smuggling vulnerability by discarding trailers | ||
| 5 | (#1062) | ||
| 6 | |||
| 7 | The WSGI parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. This patch fix that by discarding trailers. | ||
| 8 | |||
| 9 | CVE: CVE-2025-58068 | ||
| 10 | Upstream-Status: Backport [https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb] | ||
| 11 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 12 | --- | ||
| 13 | eventlet/wsgi.py | 8 +++++++- | ||
| 14 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
| 15 | |||
| 16 | diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py | ||
| 17 | index 7ef0254..fb0d805 100644 | ||
| 18 | --- a/eventlet/wsgi.py | ||
| 19 | +++ b/eventlet/wsgi.py | ||
| 20 | @@ -154,6 +154,12 @@ class Input(object): | ||
| 21 | read = b'' | ||
| 22 | self.position += len(read) | ||
| 23 | return read | ||
| 24 | + | ||
| 25 | + def _discard_trailers(self, rfile): | ||
| 26 | + while True: | ||
| 27 | + line = rfile.readline() | ||
| 28 | + if not line or line in (b'\r\n', b'\n', b''): | ||
| 29 | + break | ||
| 30 | |||
| 31 | def _chunked_read(self, rfile, length=None, use_readline=False): | ||
| 32 | if self.should_send_hundred_continue: | ||
| 33 | @@ -204,7 +210,7 @@ class Input(object): | ||
| 34 | raise ChunkReadError(err) | ||
| 35 | self.position = 0 | ||
| 36 | if self.chunk_length == 0: | ||
| 37 | - rfile.readline() | ||
| 38 | + self._discard_trailers(rfile) | ||
| 39 | except greenio.SSL.ZeroReturnError: | ||
| 40 | pass | ||
| 41 | return b''.join(response) | ||
diff --git a/meta-python/recipes-devtools/python/python3-eventlet_0.33.3.bb b/meta-python/recipes-devtools/python/python3-eventlet_0.33.3.bb index c1256661b4..12ee39aee9 100644 --- a/meta-python/recipes-devtools/python/python3-eventlet_0.33.3.bb +++ b/meta-python/recipes-devtools/python/python3-eventlet_0.33.3.bb | |||
| @@ -4,6 +4,7 @@ SECTION = "devel/python" | |||
| 4 | LICENSE = "MIT" | 4 | LICENSE = "MIT" |
| 5 | LIC_FILES_CHKSUM = "file://LICENSE;md5=56472ad6de4caf50e05332a34b66e778" | 5 | LIC_FILES_CHKSUM = "file://LICENSE;md5=56472ad6de4caf50e05332a34b66e778" |
| 6 | 6 | ||
| 7 | SRC_URI += "file://CVE-2025-58068.patch" | ||
| 7 | SRC_URI[sha256sum] = "722803e7eadff295347539da363d68ae155b8b26ae6a634474d0a920be73cfda" | 8 | SRC_URI[sha256sum] = "722803e7eadff295347539da363d68ae155b8b26ae6a634474d0a920be73cfda" |
| 8 | 9 | ||
| 9 | inherit pypi setuptools3 | 10 | inherit pypi setuptools3 |