Bug#1113761: trixie-pu: package python-eventlet/0.39.1-2 CVE-2025-58068

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1113761: trixie-pu: package python-eventlet/0.39.1-2 CVE-2025-58068
From: Thomas Goirand <zigo@debian.org>
Date: Tue, 02 Sep 2025 10:50:57 +0200
Message-id: <[🔎] 175680305788.240931.9267317905467954192.reportbug@zbuz.infomaniak.ch>
Reply-to: Thomas Goirand <zigo@debian.org>, 1113761@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: python-eventlet@packages.debian.org
Control: affects -1 + src:python-eventlet
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

[ Reason ]
I'd like to fix:
https://bugs.debian.org/1112515

aka: CVE-2025-58068

[ Impact ]
Potential HTTP request smuggling.

[ Tests ]
I've set this already in production in my deployment.

[ Risks ]
Trivial patch, that's discarding chunk's trailer.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Please allow me to upload python-eventlet/0.39.1-2+deb13u1
as per debdiff.

Cheers,

Thomas Goirand (zigo)

diff -Nru python-eventlet-0.39.1/debian/changelog python-eventlet-0.39.1/debian/changelog
--- python-eventlet-0.39.1/debian/changelog	2025-04-01 16:44:12.000000000 +0200
+++ python-eventlet-0.39.1/debian/changelog	2025-09-02 10:43:30.000000000 +0200
@@ -1,3 +1,15 @@
+python-eventlet (0.39.1-2+deb13u1) trixie; urgency=medium
+
+  * CVE-2025-58068: Eventlet is a concurrent networking library for Python.
+    Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP
+    Request Smuggling due to improper handling of HTTP trailer sections. This
+    vulnerability could enable attackers to, bypass front-end security
+    controls, launch targeted attacks against active site users, and poison web
+    caches. Applied upstream patch (Closes: #1112515):
+    - Fix_request_smuggling_vulnerability_by_discarding_trailers.patch
+
+ -- Thomas Goirand <zigo@debian.org>  Tue, 02 Sep 2025 10:43:30 +0200
+
 python-eventlet (0.39.1-2) unstable; urgency=medium
 
   * Add test_send_1k_req_rep to blacklist, failing on armel.
diff -Nru python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch
--- python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch	2025-09-02 10:43:30.000000000 +0200
@@ -0,0 +1,37 @@
+From: sebsrt <s@sebsrt.xyz>
+Date: Mon, 11 Aug 2025 11:46:28 +0200
+Description: CVE-2025-58068: Fix request smuggling vulnerability by discarding trailers (#1062)
+ The WSGI parser is vulnerable to a request smuggling vulnerability due
+ to not parsing trailer sections of an HTTP request. This patch fix that
+ by discarding trailers.
+Origin: upstream, https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb.patch
+Bug: https://github.com/eventlet/eventlet/pull/1062
+Bug-Debian: https://bugs.debian.org/1112515
+Last-Update: 2025-08-31
+
+diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py
+index 92d031797..b6b4d0ce8 100644
+--- a/eventlet/wsgi.py
++++ b/eventlet/wsgi.py
+@@ -152,6 +152,12 @@ def _do_read(self, reader, length=None):
+             read = b''
+         self.position += len(read)
+         return read
++    
++    def _discard_trailers(self, rfile):
++        while True:
++            line = rfile.readline()
++            if not line or line in (b'\r\n', b'\n', b''):
++                break
+ 
+     def _chunked_read(self, rfile, length=None, use_readline=False):
+         if self.should_send_hundred_continue:
+@@ -202,7 +208,7 @@ def _chunked_read(self, rfile, length=None, use_readline=False):
+                         raise ChunkReadError(err)
+                     self.position = 0
+                     if self.chunk_length == 0:
+-                        rfile.readline()
++                        self._discard_trailers(rfile)
+         except greenio.SSL.ZeroReturnError:
+             pass
+         return b''.join(response)
diff -Nru python-eventlet-0.39.1/debian/patches/series python-eventlet-0.39.1/debian/patches/series
--- python-eventlet-0.39.1/debian/patches/series	2025-04-01 16:44:12.000000000 +0200
+++ python-eventlet-0.39.1/debian/patches/series	2025-09-02 10:43:30.000000000 +0200
@@ -15,3 +15,4 @@
 #use-raw-strings-to-avoid-warnings.patch
 install-all-files.patch
 fix-detecting-version.patch
+CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch

Reply to:

Follow-Ups:
- Processed: trixie-pu: package python-eventlet/0.39.1-2 CVE-2025-58068
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1113761: trixie-pu: package python-eventlet/0.39.1-2 CVE-2025-58068
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Processed: trixie-pu: package python-eventlet/0.39.1-2 CVE-2025-58068
Next by Date: Bug#1113761: trixie-pu: package python-eventlet/0.39.1-2 CVE-2025-58068
Previous by thread: Bug#1113757: trixie-pu: package input-remapper/2.1.1-1+deb13u1
Next by thread: Processed: trixie-pu: package python-eventlet/0.39.1-2 CVE-2025-58068
Index(es):
- Date
- Thread