Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:python-eventlet User: [email protected] Usertags: pu
Hi, [ Reason ] I'd like to fix: https://bugs.debian.org/1112515 aka: CVE-2025-58068 [ Impact ] Potential HTTP request smuggling. [ Tests ] I've set this already in production in my deployment. [ Risks ] Trivial patch, that's discarding chunk's trailer. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Please allow me to upload python-eventlet/0.39.1-2+deb13u1 as per debdiff. Cheers, Thomas Goirand (zigo)
diff -Nru python-eventlet-0.39.1/debian/changelog python-eventlet-0.39.1/debian/changelog --- python-eventlet-0.39.1/debian/changelog 2025-04-01 16:44:12.000000000 +0200 +++ python-eventlet-0.39.1/debian/changelog 2025-09-02 10:43:30.000000000 +0200 @@ -1,3 +1,15 @@ +python-eventlet (0.39.1-2+deb13u1) trixie; urgency=medium + + * CVE-2025-58068: Eventlet is a concurrent networking library for Python. + Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP + Request Smuggling due to improper handling of HTTP trailer sections. This + vulnerability could enable attackers to, bypass front-end security + controls, launch targeted attacks against active site users, and poison web + caches. Applied upstream patch (Closes: #1112515): + - Fix_request_smuggling_vulnerability_by_discarding_trailers.patch + + -- Thomas Goirand <[email protected]> Tue, 02 Sep 2025 10:43:30 +0200 + python-eventlet (0.39.1-2) unstable; urgency=medium * Add test_send_1k_req_rep to blacklist, failing on armel. diff -Nru python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch --- python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch 2025-09-02 10:43:30.000000000 +0200 @@ -0,0 +1,37 @@ +From: sebsrt <[email protected]> +Date: Mon, 11 Aug 2025 11:46:28 +0200 +Description: CVE-2025-58068: Fix request smuggling vulnerability by discarding trailers (#1062) + The WSGI parser is vulnerable to a request smuggling vulnerability due + to not parsing trailer sections of an HTTP request. This patch fix that + by discarding trailers. +Origin: upstream, https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb.patch +Bug: https://github.com/eventlet/eventlet/pull/1062 +Bug-Debian: https://bugs.debian.org/1112515 +Last-Update: 2025-08-31 + +diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py +index 92d031797..b6b4d0ce8 100644 +--- a/eventlet/wsgi.py ++++ b/eventlet/wsgi.py +@@ -152,6 +152,12 @@ def _do_read(self, reader, length=None): + read = b'' + self.position += len(read) + return read ++ ++ def _discard_trailers(self, rfile): ++ while True: ++ line = rfile.readline() ++ if not line or line in (b'\r\n', b'\n', b''): ++ break + + def _chunked_read(self, rfile, length=None, use_readline=False): + if self.should_send_hundred_continue: +@@ -202,7 +208,7 @@ def _chunked_read(self, rfile, length=None, use_readline=False): + raise ChunkReadError(err) + self.position = 0 + if self.chunk_length == 0: +- rfile.readline() ++ self._discard_trailers(rfile) + except greenio.SSL.ZeroReturnError: + pass + return b''.join(response) diff -Nru python-eventlet-0.39.1/debian/patches/series python-eventlet-0.39.1/debian/patches/series --- python-eventlet-0.39.1/debian/patches/series 2025-04-01 16:44:12.000000000 +0200 +++ python-eventlet-0.39.1/debian/patches/series 2025-09-02 10:43:30.000000000 +0200 @@ -15,3 +15,4 @@ #use-raw-strings-to-avoid-warnings.patch install-all-files.patch fix-detecting-version.patch +CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch
