home bbs files messages ]

Forums before death by AOL, social media and spammers... "We can't have nice things"

   linux.debian.bugs.dist      Ohh some weird Debian bug report thing      28,835 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 28,789 of 28,835   
   Bastian Germann to All   
   Bug#1128925: trixie-pu: package rust-tim   
   24 Feb 26 17:10:01   
   
   XPost: linux.debian.devel.release   
   From: bage@debian.org   
      
   This is a multi-part MIME message sent by reportbug.   
      
      
   Package: release.debian.org   
   Severity: normal   
   Tags: trixie   
   X-Debbugs-Cc: rust-time@packages.debian.org   
   Control: affects -1 + src:rust-time   
   User: release.debian.org@packages.debian.org   
   Usertags: pu   
      
   [ Reason ]   
   CVE-2026-25727 (stack exhaustion)   
      
   [ Impact ]   
   Vulnerable to denial of service.   
      
   [ Tests ]   
   I have only compiled the package with a upstream patch backport.   
      
   [ Risks ]   
   Code change is trivial. There is only an inline annotation that had to   
   be dropped to backport the patch.   
      
   [ Checklist ]   
     [x] *all* changes are documented in the d/changelog   
     [x] I reviewed all changes and I approve them   
     [x] attach debdiff against the package in stable   
     [x] the issue is verified as fixed in unstable   
      
   [ Changes ]   
   The upstream patch limits the stack frames.   
      
   [ Other info ]   
   Team upload.   
      
   diff -Nru rust-time-0.3.37/debian/changelog rust-time-0.3.37/debian/changelog   
   --- rust-time-0.3.37/debian/changelog	2024-12-28 14:35:06.000000000 +0100   
   +++ rust-time-0.3.37/debian/changelog	2026-02-24 16:41:27.000000000 +0100   
   @@ -1,3 +1,9 @@   
   +rust-time (0.3.37-1+deb13u1) trixie; urgency=medium   
   +   
   +  * Backport upstream fix for CVE-2026-25727 (Closes: #1128404)   
   +   
   + -- Bastian Germann   Tue, 24 Feb 2026 17:00:26 +0100   
   +   
    rust-time (0.3.37-1) unstable; urgency=medium   
      
      * Team upload.   
   diff -Nru rust-time-0.3.37/debian/patches/CVE-2026-25727.patch r   
   st-time-0.3.37/debian/patches/CVE-2026-25727.patch   
   --- rust-time-0.3.37/debian/patches/CVE-2026-25727.patch	1970-01-01   
   01:00:00.000000000 +0100   
   +++ rust-time-0.3.37/debian/patches/CVE-2026-25727.patch	2026-02-24   
   16:35:11.000000000 +0100   
   @@ -0,0 +1,58 @@   
   +Origin: backport, 1c63dc7985b8fa26bd8c689423cc56b7a03841ee   
   +From: Jacob Pratt    
   +Date: Thu, 5 Feb 2026 00:36:13 -0500   
   +Subject: Avoid denial of service when parsing Rfc2822   
   +   
   +Backport: Remove the #[inline] from the newer version   
   +---   
   +--- a/src/parsing/combinator/rfc/rfc2822.rs   
   ++++ b/src/parsing/combinator/rfc/rfc2822.rs   
   +@@ -6,6 +6,8 @@ use crate::parsing::combinator::rfc::rfc2234::wsp;   
   + use crate::parsing::combinator::{ascii_char, one_or_more, zero_or_more};   
   + use crate::parsing::ParsedItem;   
   +   
   ++const DEPTH_LIMIT: u8 = 32;   
   ++   
   + /// Consume the `fws` rule.   
   + // The full rule is equivalent to /\r\n[ \t]+|[ \t]+(?:\r\n[ \t]+)*/   
   + pub(crate) fn fws(mut input: &[u8]) -> Option> {   
   +@@ -23,14 +25,23 @@ pub(crate) fn fws(mut input: &[u8]) -> Opti   
   n> {   
   + /// Consume the `cfws` rule.   
   + // The full rule is equivalent to any combination of `fws` and `comment` so   
   long as it is not empty.   
   + pub(crate) fn cfws(input: &[u8]) -> Option> {   
   +-    one_or_more(|input| fws(input).or_else(|| comment(input)))(input)   
   ++    one_or_more(|input| fws(input).or_else(|| comment(input, 1)))(input)   
   + }   
   +   
   + /// Consume the `comment` rule.   
   +-fn comment(mut input: &[u8]) -> Option> {   
   ++fn comment(mut input: &[u8], depth: u8) -> Option> {   
   ++    // Avoid stack exhaustion DoS by limiting recursion depth. This will   
   cause highly-nested   
   ++    // comments to fail parsing, but comments *at all* are incredibly rare   
   in practice.   
   ++    //   
   ++    // The error from this will not be descriptive, but the rarity and   
   near-certain maliciousness of   
   ++    // such inputs makes this an acceptable trade-off.   
   ++    if depth == DEPTH_LIMIT {   
   ++        return None;   
   ++    }   
   ++   
   +     input = ascii_char::(input)?.into_inner();   
   +     input = zero_or_more(fws)(input).into_inner();   
   +-    while let Some(rest) = ccontent(input) {   
   ++    while let Some(rest) = ccontent(input, depth + 1) {   
   +         input = rest.into_inner();   
   +         input = zero_or_more(fws)(input).into_inner();   
   +     }   
   +@@ -40,10 +51,10 @@ fn comment(mut input: &[u8]) -> Option> {   
   + }   
   +   
   + /// Consume the `ccontent` rule.   
   +-fn ccontent(input: &[u8]) -> Option> {   
   ++fn ccontent(input: &[u8], depth: u8) -> Option> {   
   +     ctext(input)   
   +         .or_else(|| quoted_pair(input))   
   +-        .or_else(|| comment(input))   
   ++        .or_else(|| comment(input, depth))   
   + }   
   +   
   + /// Consume the `ctext` rule.   
   diff -Nru rust-time-0.3.37/debian/patches/series rust-time-0.3.3   
   /debian/patches/series   
   --- rust-time-0.3.37/debian/patches/series	2024-12-28 14:35:06.000000000 +0100   
   +++ rust-time-0.3.37/debian/patches/series	2026-02-24 16:24:47.000000000 +0100   
   @@ -1,2 +1,3 @@   
    disable-tests-benches.patch   
    fix-tests-parsing-feature-only.patch   
   +CVE-2026-25727.patch   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca