Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:rust-ntp-proto User: [email protected] Usertags: pu
[ Reason ] Fix CVE-2026-26076 - increased load while processing malformed NTS packets See #1127929 for details and input by the security team. [ Impact ] ntpd-rs (the NTP client/daemon using the ntp-proto crate) would still be affected by the CVE. [ Tests ] The fix is cherry-picked from upstream, the autopkgtest suite pass as much as it did before. [ Risks ] The change is fairly trivial. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] A single cherry-picked patch with a minor modification for different import context, introducing an upper bound for the amount of NTS packets processed for a given request. [ Other info ] Since rust-ntp-proto just builds librust-ntp-proto-dev which just contains Rust source code, the actual fix will only materialize via a binNMU of rust-ntpd to pick up the change. Thanks for your consideration, Fabian
diff -Nru rust-ntp-proto-1.4.0/debian/changelog rust-ntp-proto-1.4.0/debian/changelog --- rust-ntp-proto-1.4.0/debian/changelog 2025-03-08 16:38:51.000000000 +0100 +++ rust-ntp-proto-1.4.0/debian/changelog 2026-02-14 19:39:13.000000000 +0100 @@ -1,3 +1,10 @@ +rust-ntp-proto (1.4.0-4+deb13u1) trixie; urgency=high + + * Fix CVE-2026-26076 - increased load while processing malformed NTS packets + (Closes: #1127929) + + -- Fabian Grünbichler <[email protected]> Sat, 14 Feb 2026 19:39:13 +0100 + rust-ntp-proto (1.4.0-4) unstable; urgency=medium * Team upload. diff -Nru rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch --- rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch 1970-01-01 01:00:00.000000000 +0100 +++ rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch 2026-02-14 19:39:13.000000000 +0100 @@ -0,0 +1,43 @@ +From fa73af14d17b666b1142b9fee3ba22c18a841d24 Mon Sep 17 00:00:00 2001 +From: David Venhoek <[email protected]> +Date: Thu, 12 Feb 2026 09:40:04 +0100 +Subject: [PATCH] Fix excessive generation of cookies. + +--- + ntp-proto/src/packet/mod.rs | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/src/packet/mod.rs ++++ b/src/packet/mod.rs +@@ -4,6 +4,7 @@ + use serde::{Deserialize, Serialize}; + + use crate::{ ++ MAX_COOKIES, + clock::NtpClock, + identifiers::ReferenceId, + io::NonBlockingWrite, +@@ -718,6 +719,7 @@ + }) + } + ++ #[allow(clippy::too_many_lines)] + pub fn nts_timestamp_response<C: NtpClock>( + system: &SystemSnapshot, + input: Self, +@@ -741,6 +743,7 @@ + .authenticated + .iter() + .chain(input.efdata.encrypted.iter()) ++ .take(MAX_COOKIES) + .filter_map(|f| match f { + ExtensionField::NtsCookiePlaceholder { cookie_length } => { + let new_cookie = keyset.encode_cookie(cookie); +@@ -786,6 +789,7 @@ + .authenticated + .iter() + .chain(input.efdata.encrypted.iter()) ++ .take(MAX_COOKIES) + .filter_map(|f| match f { + ExtensionField::NtsCookiePlaceholder { cookie_length } => { + let new_cookie = keyset.encode_cookie(cookie); diff -Nru rust-ntp-proto-1.4.0/debian/patches/series rust-ntp-proto-1.4.0/debian/patches/series --- rust-ntp-proto-1.4.0/debian/patches/series 2025-03-08 16:38:51.000000000 +0100 +++ rust-ntp-proto-1.4.0/debian/patches/series 2026-02-14 19:38:22.000000000 +0100 @@ -2,3 +2,4 @@ relax-serde-test.diff rustls-native-certs-0.6.diff disable-other-rustls.diff +CVE-2026-26076.patch
