Your message dated Sat, 11 Jul 2026 10:32:49 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1128925,
regarding trixie-pu: package rust-time/0.3.37-1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1128925: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128925
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:rust-time
User: [email protected]
Usertags: pu

[ Reason ]
CVE-2026-25727 (stack exhaustion)

[ Impact ]
Vulnerable to denial of service.

[ Tests ]
I have only compiled the package with a upstream patch backport.

[ Risks ]
Code change is trivial. There is only an inline annotation that had to
be dropped to backport the patch.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The upstream patch limits the stack frames.

[ Other info ]
Team upload.
diff -Nru rust-time-0.3.37/debian/changelog rust-time-0.3.37/debian/changelog
--- rust-time-0.3.37/debian/changelog   2024-12-28 14:35:06.000000000 +0100
+++ rust-time-0.3.37/debian/changelog   2026-02-24 16:41:27.000000000 +0100
@@ -1,3 +1,9 @@
+rust-time (0.3.37-1+deb13u1) trixie; urgency=medium
+
+  * Backport upstream fix for CVE-2026-25727 (Closes: #1128404)
+
+ -- Bastian Germann <[email protected]>  Tue, 24 Feb 2026 17:00:26 +0100
+
 rust-time (0.3.37-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru rust-time-0.3.37/debian/patches/CVE-2026-25727.patch 
rust-time-0.3.37/debian/patches/CVE-2026-25727.patch
--- rust-time-0.3.37/debian/patches/CVE-2026-25727.patch        1970-01-01 
01:00:00.000000000 +0100
+++ rust-time-0.3.37/debian/patches/CVE-2026-25727.patch        2026-02-24 
16:35:11.000000000 +0100
@@ -0,0 +1,58 @@
+Origin: backport, 1c63dc7985b8fa26bd8c689423cc56b7a03841ee
+From: Jacob Pratt <[email protected]>
+Date: Thu, 5 Feb 2026 00:36:13 -0500
+Subject: Avoid denial of service when parsing Rfc2822
+
+Backport: Remove the #[inline] from the newer version
+---
+--- a/src/parsing/combinator/rfc/rfc2822.rs
++++ b/src/parsing/combinator/rfc/rfc2822.rs
+@@ -6,6 +6,8 @@ use crate::parsing::combinator::rfc::rfc2234::wsp;
+ use crate::parsing::combinator::{ascii_char, one_or_more, zero_or_more};
+ use crate::parsing::ParsedItem;
+ 
++const DEPTH_LIMIT: u8 = 32;
++
+ /// Consume the `fws` rule.
+ // The full rule is equivalent to /\r\n[ \t]+|[ \t]+(?:\r\n[ \t]+)*/
+ pub(crate) fn fws(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> {
+@@ -23,14 +25,23 @@ pub(crate) fn fws(mut input: &[u8]) -> 
Option<ParsedItem<'_, ()>> {
+ /// Consume the `cfws` rule.
+ // The full rule is equivalent to any combination of `fws` and `comment` so 
long as it is not empty.
+ pub(crate) fn cfws(input: &[u8]) -> Option<ParsedItem<'_, ()>> {
+-    one_or_more(|input| fws(input).or_else(|| comment(input)))(input)
++    one_or_more(|input| fws(input).or_else(|| comment(input, 1)))(input)
+ }
+ 
+ /// Consume the `comment` rule.
+-fn comment(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> {
++fn comment(mut input: &[u8], depth: u8) -> Option<ParsedItem<'_, ()>> {
++    // Avoid stack exhaustion DoS by limiting recursion depth. This will 
cause highly-nested
++    // comments to fail parsing, but comments *at all* are incredibly rare in 
practice.
++    //
++    // The error from this will not be descriptive, but the rarity and 
near-certain maliciousness of
++    // such inputs makes this an acceptable trade-off.
++    if depth == DEPTH_LIMIT {
++        return None;
++    }
++
+     input = ascii_char::<b'('>(input)?.into_inner();
+     input = zero_or_more(fws)(input).into_inner();
+-    while let Some(rest) = ccontent(input) {
++    while let Some(rest) = ccontent(input, depth + 1) {
+         input = rest.into_inner();
+         input = zero_or_more(fws)(input).into_inner();
+     }
+@@ -40,10 +51,10 @@ fn comment(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> 
{
+ }
+ 
+ /// Consume the `ccontent` rule.
+-fn ccontent(input: &[u8]) -> Option<ParsedItem<'_, ()>> {
++fn ccontent(input: &[u8], depth: u8) -> Option<ParsedItem<'_, ()>> {
+     ctext(input)
+         .or_else(|| quoted_pair(input))
+-        .or_else(|| comment(input))
++        .or_else(|| comment(input, depth))
+ }
+ 
+ /// Consume the `ctext` rule.
diff -Nru rust-time-0.3.37/debian/patches/series 
rust-time-0.3.37/debian/patches/series
--- rust-time-0.3.37/debian/patches/series      2024-12-28 14:35:06.000000000 
+0100
+++ rust-time-0.3.37/debian/patches/series      2026-02-24 16:24:47.000000000 
+0100
@@ -1,2 +1,3 @@
 disable-tests-benches.patch
 fix-tests-parsing-feature-only.patch
+CVE-2026-25727.patch

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to