Version in base suite: 0.3.37-1 Base version: rust-time_0.3.37-1 Target version: rust-time_0.3.37-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/rust-time/rust-time_0.3.37-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/rust-time/rust-time_0.3.37-1+deb13u1.dsc changelog | 6 ++++ patches/CVE-2026-25727.patch | 58 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 65 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpt8b70php/rust-time_0.3.37-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpt8b70php/rust-time_0.3.37-1+deb13u1.dsc: no acceptable signature found diff -Nru rust-time-0.3.37/debian/changelog rust-time-0.3.37/debian/changelog --- rust-time-0.3.37/debian/changelog 2024-12-28 13:35:06.000000000 +0000 +++ rust-time-0.3.37/debian/changelog 2026-02-24 16:00:26.000000000 +0000 @@ -1,3 +1,9 @@ +rust-time (0.3.37-1+deb13u1) trixie; urgency=medium + + * Backport upstream fix for CVE-2026-25727 (Closes: #1128404) + + -- Bastian Germann Tue, 24 Feb 2026 17:00:26 +0100 + rust-time (0.3.37-1) unstable; urgency=medium * Team upload. diff -Nru rust-time-0.3.37/debian/patches/CVE-2026-25727.patch rust-time-0.3.37/debian/patches/CVE-2026-25727.patch --- rust-time-0.3.37/debian/patches/CVE-2026-25727.patch 1970-01-01 00:00:00.000000000 +0000 +++ rust-time-0.3.37/debian/patches/CVE-2026-25727.patch 2026-02-24 16:00:26.000000000 +0000 @@ -0,0 +1,58 @@ +Origin: backport, 1c63dc7985b8fa26bd8c689423cc56b7a03841ee +From: Jacob Pratt +Date: Thu, 5 Feb 2026 00:36:13 -0500 +Subject: Avoid denial of service when parsing Rfc2822 + +Backport: Remove the #[inline] from the newer version +--- +--- a/src/parsing/combinator/rfc/rfc2822.rs ++++ b/src/parsing/combinator/rfc/rfc2822.rs +@@ -6,6 +6,8 @@ use crate::parsing::combinator::rfc::rfc2234::wsp; + use crate::parsing::combinator::{ascii_char, one_or_more, zero_or_more}; + use crate::parsing::ParsedItem; + ++const DEPTH_LIMIT: u8 = 32; ++ + /// Consume the `fws` rule. + // The full rule is equivalent to /\r\n[ \t]+|[ \t]+(?:\r\n[ \t]+)*/ + pub(crate) fn fws(mut input: &[u8]) -> Option> { +@@ -23,14 +25,23 @@ pub(crate) fn fws(mut input: &[u8]) -> Option> { + /// Consume the `cfws` rule. + // The full rule is equivalent to any combination of `fws` and `comment` so long as it is not empty. + pub(crate) fn cfws(input: &[u8]) -> Option> { +- one_or_more(|input| fws(input).or_else(|| comment(input)))(input) ++ one_or_more(|input| fws(input).or_else(|| comment(input, 1)))(input) + } + + /// Consume the `comment` rule. +-fn comment(mut input: &[u8]) -> Option> { ++fn comment(mut input: &[u8], depth: u8) -> Option> { ++ // Avoid stack exhaustion DoS by limiting recursion depth. This will cause highly-nested ++ // comments to fail parsing, but comments *at all* are incredibly rare in practice. ++ // ++ // The error from this will not be descriptive, but the rarity and near-certain maliciousness of ++ // such inputs makes this an acceptable trade-off. ++ if depth == DEPTH_LIMIT { ++ return None; ++ } ++ + input = ascii_char::(input)?.into_inner(); + input = zero_or_more(fws)(input).into_inner(); +- while let Some(rest) = ccontent(input) { ++ while let Some(rest) = ccontent(input, depth + 1) { + input = rest.into_inner(); + input = zero_or_more(fws)(input).into_inner(); + } +@@ -40,10 +51,10 @@ fn comment(mut input: &[u8]) -> Option> { + } + + /// Consume the `ccontent` rule. +-fn ccontent(input: &[u8]) -> Option> { ++fn ccontent(input: &[u8], depth: u8) -> Option> { + ctext(input) + .or_else(|| quoted_pair(input)) +- .or_else(|| comment(input)) ++ .or_else(|| comment(input, depth)) + } + + /// Consume the `ctext` rule. diff -Nru rust-time-0.3.37/debian/patches/series rust-time-0.3.37/debian/patches/series --- rust-time-0.3.37/debian/patches/series 2024-12-28 13:35:06.000000000 +0000 +++ rust-time-0.3.37/debian/patches/series 2026-02-24 16:00:26.000000000 +0000 @@ -1,2 +1,3 @@ disable-tests-benches.patch fix-tests-parsing-feature-only.patch +CVE-2026-25727.patch