Bug#1128060: marked as done (trixie-pu: package rust-ntp-proto/1.4.0-4+deb13u1)

Debian Bug Tracking System Sat, 14 Mar 2026 04:54:10 -0700

Your message dated Sat, 14 Mar 2026 11:48:36 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1128060,
regarding trixie-pu: package rust-ntp-proto/1.4.0-4+deb13u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1128060: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128060
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], 
[email protected]
Control: affects -1 + src:rust-ntp-proto
User: [email protected]
Usertags: pu

[ Reason ]

Fix CVE-2026-26076 - increased load while processing malformed NTS packets

See #1127929 for details and input by the security team.

[ Impact ]

ntpd-rs (the NTP client/daemon using the ntp-proto crate) would still be
affected by the CVE.

[ Tests ]

The fix is cherry-picked from upstream, the autopkgtest suite pass as much as
it did before.

[ Risks ]

The change is fairly trivial.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

A single cherry-picked patch with a minor modification for different import
context, introducing an upper bound for the amount of NTS packets processed for
a given request.

[ Other info ]
Since rust-ntp-proto just builds librust-ntp-proto-dev which just contains Rust
source code, the actual fix will only materialize via a binNMU of rust-ntpd to
pick up the change.

Thanks for your consideration,
Fabian

diff -Nru rust-ntp-proto-1.4.0/debian/changelog 
rust-ntp-proto-1.4.0/debian/changelog
--- rust-ntp-proto-1.4.0/debian/changelog       2025-03-08 16:38:51.000000000 
+0100
+++ rust-ntp-proto-1.4.0/debian/changelog       2026-02-14 19:39:13.000000000 
+0100
@@ -1,3 +1,10 @@
+rust-ntp-proto (1.4.0-4+deb13u1) trixie; urgency=high
+
+  * Fix CVE-2026-26076 - increased load while processing malformed NTS packets
+    (Closes: #1127929)
+
+ -- Fabian Grünbichler <[email protected]>  Sat, 14 Feb 2026 
19:39:13 +0100
+
 rust-ntp-proto (1.4.0-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch 
rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch
--- rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch    1970-01-01 
01:00:00.000000000 +0100
+++ rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch    2026-02-14 
19:39:13.000000000 +0100
@@ -0,0 +1,43 @@
+From fa73af14d17b666b1142b9fee3ba22c18a841d24 Mon Sep 17 00:00:00 2001
+From: David Venhoek <[email protected]>
+Date: Thu, 12 Feb 2026 09:40:04 +0100
+Subject: [PATCH] Fix excessive generation of cookies.
+
+---
+ ntp-proto/src/packet/mod.rs | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/src/packet/mod.rs
++++ b/src/packet/mod.rs
+@@ -4,6 +4,7 @@
+ use serde::{Deserialize, Serialize};
+ 
+ use crate::{
++    MAX_COOKIES,
+     clock::NtpClock,
+     identifiers::ReferenceId,
+     io::NonBlockingWrite,
+@@ -718,6 +719,7 @@
+             })
+     }
+ 
++    #[allow(clippy::too_many_lines)]
+     pub fn nts_timestamp_response<C: NtpClock>(
+         system: &SystemSnapshot,
+         input: Self,
+@@ -741,6 +743,7 @@
+                         .authenticated
+                         .iter()
+                         .chain(input.efdata.encrypted.iter())
++                        .take(MAX_COOKIES)
+                         .filter_map(|f| match f {
+                             ExtensionField::NtsCookiePlaceholder { 
cookie_length } => {
+                                 let new_cookie = keyset.encode_cookie(cookie);
+@@ -786,6 +789,7 @@
+                         .authenticated
+                         .iter()
+                         .chain(input.efdata.encrypted.iter())
++                        .take(MAX_COOKIES)
+                         .filter_map(|f| match f {
+                             ExtensionField::NtsCookiePlaceholder { 
cookie_length } => {
+                                 let new_cookie = keyset.encode_cookie(cookie);
diff -Nru rust-ntp-proto-1.4.0/debian/patches/series 
rust-ntp-proto-1.4.0/debian/patches/series
--- rust-ntp-proto-1.4.0/debian/patches/series  2025-03-08 16:38:51.000000000 
+0100
+++ rust-ntp-proto-1.4.0/debian/patches/series  2026-02-14 19:38:22.000000000 
+0100
@@ -2,3 +2,4 @@
 relax-serde-test.diff
 rustls-native-certs-0.6.diff
 disable-other-rustls.diff
+CVE-2026-26076.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 13.4

This update has been released as part of Debian 13.4.

--- End Message ---

Bug#1128060: marked as done (trixie-pu: package rust-ntp-proto/1.4.0-4+deb13u1)

Reply via email to