Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:rust-time User: [email protected] Usertags: pu
[ Reason ] CVE-2026-25727 (stack exhaustion) [ Impact ] Vulnerable to denial of service. [ Tests ] I have only compiled the package with a upstream patch backport. [ Risks ] Code change is trivial. There is only an inline annotation that had to be dropped to backport the patch. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable [ Changes ] The upstream patch limits the stack frames. [ Other info ] Team upload.
diff -Nru rust-time-0.3.9/debian/changelog rust-time-0.3.9/debian/changelog --- rust-time-0.3.9/debian/changelog 2022-06-05 18:58:52.000000000 +0200 +++ rust-time-0.3.9/debian/changelog 2026-02-24 16:41:02.000000000 +0100 @@ -1,3 +1,9 @@ +rust-time (0.3.9-1+deb12u1) bookworm; urgency=medium + + * Backport upstream fix for CVE-2026-25727 (Closes: #1128404) + + -- Bastian Germann <[email protected]> Tue, 24 Feb 2026 17:00:26 +0100 + rust-time (0.3.9-1) unstable; urgency=medium * Team upload. diff -Nru rust-time-0.3.9/debian/patches/CVE-2026-25727.patch rust-time-0.3.9/debian/patches/CVE-2026-25727.patch --- rust-time-0.3.9/debian/patches/CVE-2026-25727.patch 1970-01-01 01:00:00.000000000 +0100 +++ rust-time-0.3.9/debian/patches/CVE-2026-25727.patch 2026-02-24 16:39:38.000000000 +0100 @@ -0,0 +1,58 @@ +Origin: backport, 1c63dc7985b8fa26bd8c689423cc56b7a03841ee +From: Jacob Pratt <[email protected]> +Date: Thu, 5 Feb 2026 00:36:13 -0500 +Subject: Avoid denial of service when parsing Rfc2822 + +Backport: Remove the #[inline] from the newer version +--- +--- a/src/parsing/combinator/rfc/rfc2822.rs ++++ b/src/parsing/combinator/rfc/rfc2822.rs +@@ -6,6 +6,8 @@ use crate::parsing::combinator::rfc::rfc2234::wsp; + use crate::parsing::combinator::{ascii_char, one_or_more, zero_or_more}; + use crate::parsing::ParsedItem; + ++const DEPTH_LIMIT: u8 = 32; ++ + /// Consume the `fws` rule. + // The full rule is equivalent to /\r\n[ \t]+|[ \t]+(?:\r\n[ \t]+)*/ + pub(crate) fn fws(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> { +@@ -23,14 +25,23 @@ pub(crate) fn fws(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> { + /// Consume the `cfws` rule. + // The full rule is equivalent to any combination of `fws` and `comment` so long as it is not empty. + pub(crate) fn cfws(input: &[u8]) -> Option<ParsedItem<'_, ()>> { +- one_or_more(|input| fws(input).or_else(|| comment(input)))(input) ++ one_or_more(|input| fws(input).or_else(|| comment(input, 1)))(input) + } + + /// Consume the `comment` rule. +-fn comment(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> { ++fn comment(mut input: &[u8], depth: u8) -> Option<ParsedItem<'_, ()>> { ++ // Avoid stack exhaustion DoS by limiting recursion depth. This will cause highly-nested ++ // comments to fail parsing, but comments *at all* are incredibly rare in practice. ++ // ++ // The error from this will not be descriptive, but the rarity and near-certain maliciousness of ++ // such inputs makes this an acceptable trade-off. ++ if depth == DEPTH_LIMIT { ++ return None; ++ } ++ + input = ascii_char::<b'('>(input)?.into_inner(); + input = zero_or_more(fws)(input).into_inner(); +- while let Some(rest) = ccontent(input) { ++ while let Some(rest) = ccontent(input, depth + 1) { + input = rest.into_inner(); + input = zero_or_more(fws)(input).into_inner(); + } +@@ -40,10 +51,10 @@ fn comment(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> { + } + + /// Consume the `ccontent` rule. +-fn ccontent(input: &[u8]) -> Option<ParsedItem<'_, ()>> { ++fn ccontent(input: &[u8], depth: u8) -> Option<ParsedItem<'_, ()>> { + ctext(input) + .or_else(|| quoted_pair(input)) +- .or_else(|| comment(input)) ++ .or_else(|| comment(input, depth)) + } + + /// Consume the `ctext` rule. diff -Nru rust-time-0.3.9/debian/patches/series rust-time-0.3.9/debian/patches/series --- rust-time-0.3.9/debian/patches/series 2022-06-05 18:58:52.000000000 +0200 +++ rust-time-0.3.9/debian/patches/series 2026-02-24 16:39:51.000000000 +0100 @@ -1,2 +1,3 @@ disable-omitted-tests.patch relax-dep.patch +CVE-2026-25727.patch
