[Pkg-rust-maintainers] Bug#1128925: trixie-pu: package rust-time/0.3.37-1+deb13u1

Bastian Germann bage at debian.org
Tue Feb 24 16:07:24 GMT 2026 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: rust-time at packages.debian.org
Control: affects -1 + src:rust-time
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
CVE-2026-25727 (stack exhaustion)

[ Impact ]
Vulnerable to denial of service.

[ Tests ]
I have only compiled the package with a upstream patch backport.

[ Risks ]
Code change is trivial. There is only an inline annotation that had to
be dropped to backport the patch.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The upstream patch limits the stack frames.

[ Other info ]
Team upload.
-------------- next part --------------
diff -Nru rust-time-0.3.37/debian/changelog rust-time-0.3.37/debian/changelog
--- rust-time-0.3.37/debian/changelog	2024-12-28 14:35:06.000000000 +0100
+++ rust-time-0.3.37/debian/changelog	2026-02-24 16:41:27.000000000 +0100
@@ -1,3 +1,9 @@
+rust-time (0.3.37-1+deb13u1) trixie; urgency=medium
+
+  * Backport upstream fix for CVE-2026-25727 (Closes: #1128404)
+
+ -- Bastian Germann <bage at debian.org>  Tue, 24 Feb 2026 17:00:26 +0100
+
 rust-time (0.3.37-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru rust-time-0.3.37/debian/patches/CVE-2026-25727.patch rust-time-0.3.37/debian/patches/CVE-2026-25727.patch
--- rust-time-0.3.37/debian/patches/CVE-2026-25727.patch	1970-01-01 01:00:00.000000000 +0100
+++ rust-time-0.3.37/debian/patches/CVE-2026-25727.patch	2026-02-24 16:35:11.000000000 +0100
@@ -0,0 +1,58 @@
+Origin: backport, 1c63dc7985b8fa26bd8c689423cc56b7a03841ee
+From: Jacob Pratt <jacob at jhpratt.dev>
+Date: Thu, 5 Feb 2026 00:36:13 -0500
+Subject: Avoid denial of service when parsing Rfc2822
+
+Backport: Remove the #[inline] from the newer version
+---
+--- a/src/parsing/combinator/rfc/rfc2822.rs
++++ b/src/parsing/combinator/rfc/rfc2822.rs
+@@ -6,6 +6,8 @@ use crate::parsing::combinator::rfc::rfc2234::wsp;
+ use crate::parsing::combinator::{ascii_char, one_or_more, zero_or_more};
+ use crate::parsing::ParsedItem;
+ 
++const DEPTH_LIMIT: u8 = 32;
++
+ /// Consume the `fws` rule.
+ // The full rule is equivalent to /\r\n[ \t]+|[ \t]+(?:\r\n[ \t]+)*/
+ pub(crate) fn fws(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> {
+@@ -23,14 +25,23 @@ pub(crate) fn fws(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> {
+ /// Consume the `cfws` rule.
+ // The full rule is equivalent to any combination of `fws` and `comment` so long as it is not empty.
+ pub(crate) fn cfws(input: &[u8]) -> Option<ParsedItem<'_, ()>> {
+-    one_or_more(|input| fws(input).or_else(|| comment(input)))(input)
++    one_or_more(|input| fws(input).or_else(|| comment(input, 1)))(input)
+ }
+ 
+ /// Consume the `comment` rule.
+-fn comment(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> {
++fn comment(mut input: &[u8], depth: u8) -> Option<ParsedItem<'_, ()>> {
++    // Avoid stack exhaustion DoS by limiting recursion depth. This will cause highly-nested
++    // comments to fail parsing, but comments *at all* are incredibly rare in practice.
++    //
++    // The error from this will not be descriptive, but the rarity and near-certain maliciousness of
++    // such inputs makes this an acceptable trade-off.
++    if depth == DEPTH_LIMIT {
++        return None;
++    }
++
+     input = ascii_char::<b'('>(input)?.into_inner();
+     input = zero_or_more(fws)(input).into_inner();
+-    while let Some(rest) = ccontent(input) {
++    while let Some(rest) = ccontent(input, depth + 1) {
+         input = rest.into_inner();
+         input = zero_or_more(fws)(input).into_inner();
+     }
+@@ -40,10 +51,10 @@ fn comment(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> {
+ }
+ 
+ /// Consume the `ccontent` rule.
+-fn ccontent(input: &[u8]) -> Option<ParsedItem<'_, ()>> {
++fn ccontent(input: &[u8], depth: u8) -> Option<ParsedItem<'_, ()>> {
+     ctext(input)
+         .or_else(|| quoted_pair(input))
+-        .or_else(|| comment(input))
++        .or_else(|| comment(input, depth))
+ }
+ 
+ /// Consume the `ctext` rule.
diff -Nru rust-time-0.3.37/debian/patches/series rust-time-0.3.37/debian/patches/series
--- rust-time-0.3.37/debian/patches/series	2024-12-28 14:35:06.000000000 +0100
+++ rust-time-0.3.37/debian/patches/series	2026-02-24 16:24:47.000000000 +0100
@@ -1,2 +1,3 @@
 disable-tests-benches.patch
 fix-tests-parsing-feature-only.patch
+CVE-2026-25727.patch

More information about the Pkg-rust-maintainers mailing list