[Pkg-rust-maintainers] Bug#1128060: trixie-pu: package rust-ntp-proto/1.4.0-4+deb13u1
Fabian Grünbichler
debian at fabian.gruenbichler.email
Sun Feb 15 13:43:30 GMT 2026
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: rust-ntp-proto at packages.debian.org, debian at fabian.gruenbichler.email
Control: affects -1 + src:rust-ntp-proto
User: release.debian.org at packages.debian.org
Usertags: pu
[ Reason ]
Fix CVE-2026-26076 - increased load while processing malformed NTS packets
See #1127929 for details and input by the security team.
[ Impact ]
ntpd-rs (the NTP client/daemon using the ntp-proto crate) would still be
affected by the CVE.
[ Tests ]
The fix is cherry-picked from upstream, the autopkgtest suite pass as much as
it did before.
[ Risks ]
The change is fairly trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
A single cherry-picked patch with a minor modification for different import
context, introducing an upper bound for the amount of NTS packets processed for
a given request.
[ Other info ]
Since rust-ntp-proto just builds librust-ntp-proto-dev which just contains Rust
source code, the actual fix will only materialize via a binNMU of rust-ntpd to
pick up the change.
Thanks for your consideration,
Fabian
-------------- next part --------------
diff -Nru rust-ntp-proto-1.4.0/debian/changelog rust-ntp-proto-1.4.0/debian/changelog
--- rust-ntp-proto-1.4.0/debian/changelog 2025-03-08 16:38:51.000000000 +0100
+++ rust-ntp-proto-1.4.0/debian/changelog 2026-02-14 19:39:13.000000000 +0100
@@ -1,3 +1,10 @@
+rust-ntp-proto (1.4.0-4+deb13u1) trixie; urgency=high
+
+ * Fix CVE-2026-26076 - increased load while processing malformed NTS packets
+ (Closes: #1127929)
+
+ -- Fabian Gr?nbichler <debian at fabian.gruenbichler.email> Sat, 14 Feb 2026 19:39:13 +0100
+
rust-ntp-proto (1.4.0-4) unstable; urgency=medium
* Team upload.
diff -Nru rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch
--- rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch 1970-01-01 01:00:00.000000000 +0100
+++ rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch 2026-02-14 19:39:13.000000000 +0100
@@ -0,0 +1,43 @@
+From fa73af14d17b666b1142b9fee3ba22c18a841d24 Mon Sep 17 00:00:00 2001
+From: David Venhoek <david at tweedegolf.com>
+Date: Thu, 12 Feb 2026 09:40:04 +0100
+Subject: [PATCH] Fix excessive generation of cookies.
+
+---
+ ntp-proto/src/packet/mod.rs | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/src/packet/mod.rs
++++ b/src/packet/mod.rs
+@@ -4,6 +4,7 @@
+ use serde::{Deserialize, Serialize};
+
+ use crate::{
++ MAX_COOKIES,
+ clock::NtpClock,
+ identifiers::ReferenceId,
+ io::NonBlockingWrite,
+@@ -718,6 +719,7 @@
+ })
+ }
+
++ #[allow(clippy::too_many_lines)]
+ pub fn nts_timestamp_response<C: NtpClock>(
+ system: &SystemSnapshot,
+ input: Self,
+@@ -741,6 +743,7 @@
+ .authenticated
+ .iter()
+ .chain(input.efdata.encrypted.iter())
++ .take(MAX_COOKIES)
+ .filter_map(|f| match f {
+ ExtensionField::NtsCookiePlaceholder { cookie_length } => {
+ let new_cookie = keyset.encode_cookie(cookie);
+@@ -786,6 +789,7 @@
+ .authenticated
+ .iter()
+ .chain(input.efdata.encrypted.iter())
++ .take(MAX_COOKIES)
+ .filter_map(|f| match f {
+ ExtensionField::NtsCookiePlaceholder { cookie_length } => {
+ let new_cookie = keyset.encode_cookie(cookie);
diff -Nru rust-ntp-proto-1.4.0/debian/patches/series rust-ntp-proto-1.4.0/debian/patches/series
--- rust-ntp-proto-1.4.0/debian/patches/series 2025-03-08 16:38:51.000000000 +0100
+++ rust-ntp-proto-1.4.0/debian/patches/series 2026-02-14 19:38:22.000000000 +0100
@@ -2,3 +2,4 @@
relax-serde-test.diff
rustls-native-certs-0.6.diff
disable-other-rustls.diff
+CVE-2026-26076.patch
More information about the Pkg-rust-maintainers
mailing list