From a0f8d03b39342846c89cf67458c29b66626c9305 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Mon, 1 Sep 2025 11:21:26 +0800
Subject: [PATCH] Fix CVE-2025-58068 and delete redundant file python37.patch

---
 CVE-2025-58068.patch |  40 +++++++++++++
 python-eventlet.spec |   8 ++-
 python37.patch       | 140 -------------------------------------------
 3 files changed, 46 insertions(+), 142 deletions(-)
 create mode 100644 CVE-2025-58068.patch
 delete mode 100644 python37.patch

diff --git a/CVE-2025-58068.patch b/CVE-2025-58068.patch
new file mode 100644
index 0000000..21ec0b8
--- /dev/null
+++ b/CVE-2025-58068.patch
@@ -0,0 +1,40 @@
+From 0bfebd1117d392559e25b4bfbfcc941754de88fb Mon Sep 17 00:00:00 2001
+From: sebsrt <s@sebsrt.xyz>
+Date: Mon, 11 Aug 2025 11:46:28 +0200
+Subject: [PATCH] [SECURITY] Fix request smuggling vulnerability by discarding
+ trailers (#1062)
+
+The WSGI parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. This patch fix that by discarding trailers.
+
+Origin:
+https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb
+---
+ eventlet/wsgi.py | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py
+index 92d031797..b6b4d0ce8 100644
+--- a/eventlet/wsgi.py
++++ b/eventlet/wsgi.py
+@@ -152,6 +152,12 @@ def _do_read(self, reader, length=None):
+             read = b''
+         self.position += len(read)
+         return read
++    
++    def _discard_trailers(self, rfile):
++        while True:
++            line = rfile.readline()
++            if not line or line in (b'\r\n', b'\n', b''):
++                break
+ 
+     def _chunked_read(self, rfile, length=None, use_readline=False):
+         if self.should_send_hundred_continue:
+@@ -202,7 +208,7 @@ def _chunked_read(self, rfile, length=None, use_readline=False):
+                         raise ChunkReadError(err)
+                     self.position = 0
+                     if self.chunk_length == 0:
+-                        rfile.readline()
++                        self._discard_trailers(rfile)
+         except greenio.SSL.ZeroReturnError:
+             pass
+         return b''.join(response)
diff --git a/python-eventlet.spec b/python-eventlet.spec
index 77d6a67..c16f1b7 100644
--- a/python-eventlet.spec
+++ b/python-eventlet.spec
@@ -1,11 +1,12 @@
 %global _empty_manifest_terminate_build 0
 Name:           python-eventlet
 Version:        0.33.0
-Release:        2
+Release:        3
 Summary:        Highly concurrent networking library
 License:        MIT License
 URL:            http://eventlet.net
 Source0:        https://github.com/eventlet/eventlet/archive/refs/tags/v0.33.0.tar.gz
+Patch0:         CVE-2025-58068.patch
 BuildArch:      noarch
 
 %description
@@ -83,6 +84,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Mon Sep 01 2025 yaoxin <1024769339@qq.com> - 0.33.0-3
+- Fix CVE-2025-58068 and delete redundant file python37.patch
+
 * Thu Aug 18 2022 xu_ping <xuping33@h-partners.com> - 0.33.0-2
 - remove .python-eventlet.spec.swp file
 
@@ -92,7 +96,7 @@ mv %{buildroot}/doclist.lst .
 * Mon Jul 26 2021 OpenStack_SIG <openstack@openeuler.org> - 0.30.2-1
 - update to 0.30.2
 
-* Fri Jan 15 2021 Python_Bot <Python_Bot@openeuler.org>
+* Fri Jan 15 2021 Python_Bot <Python_Bot@openeuler.org> - 0.23.0-4
 - Package Spec generated
 
 * Thu Mar 12 2020 zoushuangshuang <zoushuangshuang@huawei.com> - 0.23.0-3
diff --git a/python37.patch b/python37.patch
deleted file mode 100644
index 62816ba..0000000
--- a/python37.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From 0d4e7bcb90800d6700b2c81c41c9770ee5f94358 Mon Sep 17 00:00:00 2001
-From: Marcel Plch <mplch@redhat.com>
-Date: Mon, 9 Jul 2018 16:45:45 +0200
-Subject: [PATCH] Fix for Python 3.7
-
----
- eventlet/green/ssl.py | 46 ++++++++++++++++++++++++++++++++++++++++------
- tests/debug_test.py   | 14 ++++++++++++--
- tests/hub_test.py     |  4 +++-
- 3 files changed, 55 insertions(+), 9 deletions(-)
-
-diff --git a/eventlet/green/ssl.py b/eventlet/green/ssl.py
-index 53ee9a3c..df72869e 100644
---- a/eventlet/green/ssl.py
-+++ b/eventlet/green/ssl.py
-@@ -24,6 +24,7 @@
-     'create_default_context', '_create_default_https_context']
- 
- _original_sslsocket = __ssl.SSLSocket
-+_original_wrap_socket = __ssl.wrap_socket
- 
- 
- class GreenSSLSocket(_original_sslsocket):
-@@ -57,11 +58,41 @@ def __init__(self, sock, keyfile=None, certfile=None,
-             # this assignment
-             self._timeout = sock.gettimeout()
- 
--        # nonblocking socket handshaking on connect got disabled so let's pretend it's disabled
--        # even when it's on
--        super(GreenSSLSocket, self).__init__(
--            sock.fd, keyfile, certfile, server_side, cert_reqs, ssl_version,
--            ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
-+        if sys.version_info >= (3, 7):
-+            # Monkey-patch the sslsocket so our modified self gets
-+            # injected into its _create method.
-+            def fake_new(self, cls, *args, **kwargs):
-+                return self
-+
-+            orig_new = _original_sslsocket.__new__
-+            try:
-+                _original_sslsocket.__new__ = fake_new.__get__(self, GreenSSLSocket)
-+
-+                self = _original_wrap_socket(
-+                    sock=sock.fd,
-+                    keyfile=keyfile,
-+                    certfile=certfile,
-+                    server_side=server_side,
-+                    cert_reqs=cert_reqs,
-+                    ssl_version=ssl_version,
-+                    ca_certs=ca_certs,
-+                    do_handshake_on_connect=do_handshake_on_connect and six.PY2,
-+                    *args, **kw
-+                )
-+                self.keyfile = keyfile
-+                self.certfile = certfile
-+                self.cert_reqs = cert_reqs
-+                self.ssl_version = ssl_version
-+                self.ca_certs = ca_certs
-+            finally:
-+                # Unpatch
-+                _original_sslsocket.__new__ = orig_new
-+        else:
-+            # nonblocking socket handshaking on connect got disabled so let's pretend it's disabled
-+            # even when it's on
-+            super(GreenSSLSocket, self).__init__(
-+                sock.fd, keyfile, certfile, server_side, cert_reqs, ssl_version,
-+                ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
- 
-         # the superclass initializer trashes the methods so we remove
-         # the local-object versions of them and let the actual class
-@@ -323,7 +354,10 @@ def connect(self, addr):
-         except NameError:
-             self._sslobj = sslobj
-         else:
--            self._sslobj = SSLObject(sslobj, owner=self)
-+            if sys.version_info < (3, 7):
-+                self._sslobj = SSLObject(sslobj, owner=self)
-+            else:
-+                self._sslobj = sslobj
- 
-         if self.do_handshake_on_connect:
-             self.do_handshake()
-diff --git a/tests/debug_test.py b/tests/debug_test.py
-index 8299dede..82b3a834 100644
---- a/tests/debug_test.py
-+++ b/tests/debug_test.py
-@@ -29,6 +29,11 @@ def test_unspew(self):
-         assert self.tracer is None
- 
-     def test_line(self):
-+        if sys.version_info >= (3, 7):
-+            frame_str = "f=<frame at"
-+        else:
-+            frame_str = "f=<frame object at"
-+
-         sys.stdout = six.StringIO()
-         s = debug.Spew()
-         f = sys._getframe()
-@@ -36,7 +41,7 @@ def test_line(self):
-         lineno = f.f_lineno - 1  # -1 here since we called with frame f in the line above
-         output = sys.stdout.getvalue()
-         assert "%s:%i" % (__name__, lineno) in output, "Didn't find line %i in %s" % (lineno, output)
--        assert "f=<frame object at" in output
-+        assert frame_str in output
- 
-     def test_line_nofile(self):
-         sys.stdout = six.StringIO()
-@@ -51,6 +56,11 @@ def test_line_nofile(self):
-         assert "VM instruction #" in output, output
- 
-     def test_line_global(self):
-+        if sys.version_info >= (3, 7):
-+            frame_str = "f=<frame at"
-+        else:
-+            frame_str = "f=<frame object at"
-+
-         global GLOBAL_VAR
-         sys.stdout = six.StringIO()
-         GLOBAL_VAR = debug.Spew()
-@@ -59,7 +69,7 @@ def test_line_global(self):
-         lineno = f.f_lineno - 1  # -1 here since we called with frame f in the line above
-         output = sys.stdout.getvalue()
-         assert "%s:%i" % (__name__, lineno) in output, "Didn't find line %i in %s" % (lineno, output)
--        assert "f=<frame object at" in output
-+        assert frame_str in output
-         assert "GLOBAL_VAR" in f.f_globals
-         assert "GLOBAL_VAR=<eventlet.debug.Spew object at" in output
-         del GLOBAL_VAR
-diff --git a/tests/hub_test.py b/tests/hub_test.py
-index 61b5b0b9..024f7a52 100644
---- a/tests/hub_test.py
-+++ b/tests/hub_test.py
-@@ -400,4 +400,6 @@ def fail_import(name, *args, **kwargs):
- '''
-         self.write_to_tempfile('newmod', module_source)
-         output, _ = self.launch_subprocess('newmod.py')
--        self.assertEqual(output, 'kqueue tried\nok\n')
-+        # Should be equal, but this will do until
-+        # the imp deprecation warning is fixed.
-+        self.assertTrue(output.endswith('kqueue tried\nok\n'))
-- 
Gitee