Your message dated Sat, 11 Jul 2026 10:42:31 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1128927,
regarding bookworm-pu: package rust-time/0.3.9-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128927: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128927
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:rust-time
User: [email protected]
Usertags: pu
[ Reason ]
CVE-2026-25727 (stack exhaustion)
[ Impact ]
Vulnerable to denial of service.
[ Tests ]
I have only compiled the package with a upstream patch backport.
[ Risks ]
Code change is trivial. There is only an inline annotation that had to
be dropped to backport the patch.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
[ Changes ]
The upstream patch limits the stack frames.
[ Other info ]
Team upload.
diff -Nru rust-time-0.3.9/debian/changelog rust-time-0.3.9/debian/changelog
--- rust-time-0.3.9/debian/changelog 2022-06-05 18:58:52.000000000 +0200
+++ rust-time-0.3.9/debian/changelog 2026-02-24 16:41:02.000000000 +0100
@@ -1,3 +1,9 @@
+rust-time (0.3.9-1+deb12u1) bookworm; urgency=medium
+
+ * Backport upstream fix for CVE-2026-25727 (Closes: #1128404)
+
+ -- Bastian Germann <[email protected]> Tue, 24 Feb 2026 17:00:26 +0100
+
rust-time (0.3.9-1) unstable; urgency=medium
* Team upload.
diff -Nru rust-time-0.3.9/debian/patches/CVE-2026-25727.patch
rust-time-0.3.9/debian/patches/CVE-2026-25727.patch
--- rust-time-0.3.9/debian/patches/CVE-2026-25727.patch 1970-01-01
01:00:00.000000000 +0100
+++ rust-time-0.3.9/debian/patches/CVE-2026-25727.patch 2026-02-24
16:39:38.000000000 +0100
@@ -0,0 +1,58 @@
+Origin: backport, 1c63dc7985b8fa26bd8c689423cc56b7a03841ee
+From: Jacob Pratt <[email protected]>
+Date: Thu, 5 Feb 2026 00:36:13 -0500
+Subject: Avoid denial of service when parsing Rfc2822
+
+Backport: Remove the #[inline] from the newer version
+---
+--- a/src/parsing/combinator/rfc/rfc2822.rs
++++ b/src/parsing/combinator/rfc/rfc2822.rs
+@@ -6,6 +6,8 @@ use crate::parsing::combinator::rfc::rfc2234::wsp;
+ use crate::parsing::combinator::{ascii_char, one_or_more, zero_or_more};
+ use crate::parsing::ParsedItem;
+
++const DEPTH_LIMIT: u8 = 32;
++
+ /// Consume the `fws` rule.
+ // The full rule is equivalent to /\r\n[ \t]+|[ \t]+(?:\r\n[ \t]+)*/
+ pub(crate) fn fws(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> {
+@@ -23,14 +25,23 @@ pub(crate) fn fws(mut input: &[u8]) ->
Option<ParsedItem<'_, ()>> {
+ /// Consume the `cfws` rule.
+ // The full rule is equivalent to any combination of `fws` and `comment` so
long as it is not empty.
+ pub(crate) fn cfws(input: &[u8]) -> Option<ParsedItem<'_, ()>> {
+- one_or_more(|input| fws(input).or_else(|| comment(input)))(input)
++ one_or_more(|input| fws(input).or_else(|| comment(input, 1)))(input)
+ }
+
+ /// Consume the `comment` rule.
+-fn comment(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> {
++fn comment(mut input: &[u8], depth: u8) -> Option<ParsedItem<'_, ()>> {
++ // Avoid stack exhaustion DoS by limiting recursion depth. This will
cause highly-nested
++ // comments to fail parsing, but comments *at all* are incredibly rare in
practice.
++ //
++ // The error from this will not be descriptive, but the rarity and
near-certain maliciousness of
++ // such inputs makes this an acceptable trade-off.
++ if depth == DEPTH_LIMIT {
++ return None;
++ }
++
+ input = ascii_char::<b'('>(input)?.into_inner();
+ input = zero_or_more(fws)(input).into_inner();
+- while let Some(rest) = ccontent(input) {
++ while let Some(rest) = ccontent(input, depth + 1) {
+ input = rest.into_inner();
+ input = zero_or_more(fws)(input).into_inner();
+ }
+@@ -40,10 +51,10 @@ fn comment(mut input: &[u8]) -> Option<ParsedItem<'_, ()>>
{
+ }
+
+ /// Consume the `ccontent` rule.
+-fn ccontent(input: &[u8]) -> Option<ParsedItem<'_, ()>> {
++fn ccontent(input: &[u8], depth: u8) -> Option<ParsedItem<'_, ()>> {
+ ctext(input)
+ .or_else(|| quoted_pair(input))
+- .or_else(|| comment(input))
++ .or_else(|| comment(input, depth))
+ }
+
+ /// Consume the `ctext` rule.
diff -Nru rust-time-0.3.9/debian/patches/series
rust-time-0.3.9/debian/patches/series
--- rust-time-0.3.9/debian/patches/series 2022-06-05 18:58:52.000000000
+0200
+++ rust-time-0.3.9/debian/patches/series 2026-02-24 16:39:51.000000000
+0100
@@ -1,2 +1,3 @@
disable-omitted-tests.patch
relax-dep.patch
+CVE-2026-25727.patch
--- End Message ---
--- Begin Message ---
Version: 12.15
This update was released as part of 12.15.
--- End Message ---