From b85daeb74e2de1b4314b1ef8abaff7ebd8c0718b Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Mon, 1 Sep 2025 11:30:20 +0800
Subject: [PATCH] Fix CVE-2025-58068 and delete redundant file python37.patch

---
 CVE-2025-58068.patch |  43 +++++++++++++
 python-eventlet.spec |   6 +-
 python37.patch       | 140 -------------------------------------------
 3 files changed, 48 insertions(+), 141 deletions(-)
 create mode 100644 CVE-2025-58068.patch
 delete mode 100644 python37.patch

diff --git a/CVE-2025-58068.patch b/CVE-2025-58068.patch
new file mode 100644
index 0000000..d09b3dd
--- /dev/null
+++ b/CVE-2025-58068.patch
@@ -0,0 +1,43 @@
+From 0bfebd1117d392559e25b4bfbfcc941754de88fb Mon Sep 17 00:00:00 2001
+From: sebsrt <s@sebsrt.xyz>
+Date: Mon, 11 Aug 2025 11:46:28 +0200
+Subject: [PATCH] [SECURITY] Fix request smuggling vulnerability by discarding
+ trailers (#1062)
+
+The WSGI parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. This patch fix that by discarding trailers.
+
+Origin:
+https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb
+---
+ eventlet/wsgi.py | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py
+index c236bc9..a63bac2 100644
+--- a/eventlet/wsgi.py
++++ b/eventlet/wsgi.py
+@@ -162,6 +162,12 @@ class Input(object):
+         self.position += len(read)
+         return read
+ 
++    def _discard_trailers(self, rfile):
++        while True:
++            line = rfile.readline()
++            if not line or line in (b'\r\n', b'\n', b''):
++                break
++
+     def _chunked_read(self, rfile, length=None, use_readline=False):
+         if self.wfile is not None and not self.is_hundred_continue_response_sent:
+             # 100 Continue response
+@@ -211,7 +217,7 @@ class Input(object):
+                         raise ChunkReadError(err)
+                     self.position = 0
+                     if self.chunk_length == 0:
+-                        rfile.readline()
++                        self._discard_trailers(rfile)
+         except greenio.SSL.ZeroReturnError:
+             pass
+         return b''.join(response)
+-- 
+2.50.1
+
diff --git a/python-eventlet.spec b/python-eventlet.spec
index 7d80e06..ce91a58 100644
--- a/python-eventlet.spec
+++ b/python-eventlet.spec
@@ -1,13 +1,14 @@
 %global _empty_manifest_terminate_build 0
 Name:           python-eventlet
 Version:        0.30.2
-Release:        2
+Release:        3
 Summary:        Highly concurrent networking library
 License:        MIT License
 URL:            http://eventlet.net
 Source0:        https://files.pythonhosted.org/packages/23/db/8ff5a9dec5ff016d5836254b676d507c2180d8838d7e545277d938896913/eventlet-0.30.2.tar.gz
 # https://github.com/eventlet/eventlet/commit/1412f5e4125b4313f815778a1acb4d3336efcd07
 Patch0:         CVE-2021-21419.patch
+Patch1:         CVE-2025-58068.patch
 BuildArch:      noarch
 
 %description
@@ -85,6 +86,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Mon Sep 01 2025 yaoxin <1024769339@qq.com> - 0.30.2-3
+- Fix CVE-2025-58068 and delete redundant file python37.patch
+
 * Mon Oct 23 2023 yaoxin <yao_xin001@hoperun.com> - 0.30.2-2
 - Fix CVE-2023-5625 (Patch for round CVE-2021-21419)
 
diff --git a/python37.patch b/python37.patch
deleted file mode 100644
index 62816ba..0000000
--- a/python37.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From 0d4e7bcb90800d6700b2c81c41c9770ee5f94358 Mon Sep 17 00:00:00 2001
-From: Marcel Plch <mplch@redhat.com>
-Date: Mon, 9 Jul 2018 16:45:45 +0200
-Subject: [PATCH] Fix for Python 3.7
-
----
- eventlet/green/ssl.py | 46 ++++++++++++++++++++++++++++++++++++++++------
- tests/debug_test.py   | 14 ++++++++++++--
- tests/hub_test.py     |  4 +++-
- 3 files changed, 55 insertions(+), 9 deletions(-)
-
-diff --git a/eventlet/green/ssl.py b/eventlet/green/ssl.py
-index 53ee9a3c..df72869e 100644
---- a/eventlet/green/ssl.py
-+++ b/eventlet/green/ssl.py
-@@ -24,6 +24,7 @@
-     'create_default_context', '_create_default_https_context']
- 
- _original_sslsocket = __ssl.SSLSocket
-+_original_wrap_socket = __ssl.wrap_socket
- 
- 
- class GreenSSLSocket(_original_sslsocket):
-@@ -57,11 +58,41 @@ def __init__(self, sock, keyfile=None, certfile=None,
-             # this assignment
-             self._timeout = sock.gettimeout()
- 
--        # nonblocking socket handshaking on connect got disabled so let's pretend it's disabled
--        # even when it's on
--        super(GreenSSLSocket, self).__init__(
--            sock.fd, keyfile, certfile, server_side, cert_reqs, ssl_version,
--            ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
-+        if sys.version_info >= (3, 7):
-+            # Monkey-patch the sslsocket so our modified self gets
-+            # injected into its _create method.
-+            def fake_new(self, cls, *args, **kwargs):
-+                return self
-+
-+            orig_new = _original_sslsocket.__new__
-+            try:
-+                _original_sslsocket.__new__ = fake_new.__get__(self, GreenSSLSocket)
-+
-+                self = _original_wrap_socket(
-+                    sock=sock.fd,
-+                    keyfile=keyfile,
-+                    certfile=certfile,
-+                    server_side=server_side,
-+                    cert_reqs=cert_reqs,
-+                    ssl_version=ssl_version,
-+                    ca_certs=ca_certs,
-+                    do_handshake_on_connect=do_handshake_on_connect and six.PY2,
-+                    *args, **kw
-+                )
-+                self.keyfile = keyfile
-+                self.certfile = certfile
-+                self.cert_reqs = cert_reqs
-+                self.ssl_version = ssl_version
-+                self.ca_certs = ca_certs
-+            finally:
-+                # Unpatch
-+                _original_sslsocket.__new__ = orig_new
-+        else:
-+            # nonblocking socket handshaking on connect got disabled so let's pretend it's disabled
-+            # even when it's on
-+            super(GreenSSLSocket, self).__init__(
-+                sock.fd, keyfile, certfile, server_side, cert_reqs, ssl_version,
-+                ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
- 
-         # the superclass initializer trashes the methods so we remove
-         # the local-object versions of them and let the actual class
-@@ -323,7 +354,10 @@ def connect(self, addr):
-         except NameError:
-             self._sslobj = sslobj
-         else:
--            self._sslobj = SSLObject(sslobj, owner=self)
-+            if sys.version_info < (3, 7):
-+                self._sslobj = SSLObject(sslobj, owner=self)
-+            else:
-+                self._sslobj = sslobj
- 
-         if self.do_handshake_on_connect:
-             self.do_handshake()
-diff --git a/tests/debug_test.py b/tests/debug_test.py
-index 8299dede..82b3a834 100644
---- a/tests/debug_test.py
-+++ b/tests/debug_test.py
-@@ -29,6 +29,11 @@ def test_unspew(self):
-         assert self.tracer is None
- 
-     def test_line(self):
-+        if sys.version_info >= (3, 7):
-+            frame_str = "f=<frame at"
-+        else:
-+            frame_str = "f=<frame object at"
-+
-         sys.stdout = six.StringIO()
-         s = debug.Spew()
-         f = sys._getframe()
-@@ -36,7 +41,7 @@ def test_line(self):
-         lineno = f.f_lineno - 1  # -1 here since we called with frame f in the line above
-         output = sys.stdout.getvalue()
-         assert "%s:%i" % (__name__, lineno) in output, "Didn't find line %i in %s" % (lineno, output)
--        assert "f=<frame object at" in output
-+        assert frame_str in output
- 
-     def test_line_nofile(self):
-         sys.stdout = six.StringIO()
-@@ -51,6 +56,11 @@ def test_line_nofile(self):
-         assert "VM instruction #" in output, output
- 
-     def test_line_global(self):
-+        if sys.version_info >= (3, 7):
-+            frame_str = "f=<frame at"
-+        else:
-+            frame_str = "f=<frame object at"
-+
-         global GLOBAL_VAR
-         sys.stdout = six.StringIO()
-         GLOBAL_VAR = debug.Spew()
-@@ -59,7 +69,7 @@ def test_line_global(self):
-         lineno = f.f_lineno - 1  # -1 here since we called with frame f in the line above
-         output = sys.stdout.getvalue()
-         assert "%s:%i" % (__name__, lineno) in output, "Didn't find line %i in %s" % (lineno, output)
--        assert "f=<frame object at" in output
-+        assert frame_str in output
-         assert "GLOBAL_VAR" in f.f_globals
-         assert "GLOBAL_VAR=<eventlet.debug.Spew object at" in output
-         del GLOBAL_VAR
-diff --git a/tests/hub_test.py b/tests/hub_test.py
-index 61b5b0b9..024f7a52 100644
---- a/tests/hub_test.py
-+++ b/tests/hub_test.py
-@@ -400,4 +400,6 @@ def fail_import(name, *args, **kwargs):
- '''
-         self.write_to_tempfile('newmod', module_source)
-         output, _ = self.launch_subprocess('newmod.py')
--        self.assertEqual(output, 'kqueue tried\nok\n')
-+        # Should be equal, but this will do until
-+        # the imp deprecation warning is fixed.
-+        self.assertTrue(output.endswith('kqueue tried\nok\n'))
-- 
Gitee