#1128927 bookworm-pu: package rust-time/0.3.9-1+deb12u1

#1128927#5
Date:
2026-02-24 16:10:51 UTC
From:
To:
[ Reason ]
CVE-2026-25727 (stack exhaustion)

[ Impact ]
Vulnerable to denial of service.

[ Tests ]
I have only compiled the package with a upstream patch backport.

[ Risks ]
Code change is trivial. There is only an inline annotation that had to
be dropped to backport the patch.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The upstream patch limits the stack frames.

[ Other info ]
Team upload.

#1128927#12
Date:
2026-02-24 16:20:11 UTC
From:
To:
CC-ing the p-u bug for Bookworm as well, since this applies
equally to both.

Thanks for preparing this!

After this has been accepted and built, all binary packages statically
linking the affected code need to be bin-NMUed (or get no-change source
uploads).

If desired, I can prepare a list of packages for Trixie and Bookworm.

Fabian

#1128927#17
Date:
2026-02-28 11:43:51 UTC
From:
To:
Control: tags -1 + moreinfo
[..]

I'd appreciate knowing what that list looks like before we consider
accepting these updates.

Point releases aren't really designed to handle mini transitions.

Regards,

Adam

#1128927#24
Date:
2026-03-26 16:34:42 UTC
From:
To:
Control: tags -1 - moreinfo

for Trixie, the list would include at least the following (based on
Static-Built-Using, which might be incomplete!):

bat (0.25.0-2+b2) -> rust-time (= 0.3.37-1)
broot (1.46.3-2) -> rust-time (= 0.3.37-1)
cargo-c (0.10.11-1+b2) -> rust-time (= 0.3.37-1)
cargo-mutants (25.0.0-1+b1) -> rust-time (= 0.3.37-1)
cargo-outdated (0.17.0-1+b1) -> rust-time (= 0.3.37-1)
cddl (0.9.5-1) -> rust-time (= 0.3.37-1)
condure (1.10.0-8+b1) -> rust-time (= 0.3.37-1)
cotp (1.9.2-1+b3) -> rust-time (= 0.3.37-1)
cyme (2.2.0+dfsg-2) -> rust-time (= 0.3.37-1)
czkawka-cli (8.0.0-2) -> rust-time (= 0.3.37-1)
czkawka-gui (8.0.0-2) -> rust-time (= 0.3.37-1)
debcargo (2.7.8-4) -> rust-time (= 0.3.37-1)
edu-sync (0.3.0-1+b1) -> rust-time (= 0.3.37-1)
eza (0.21.0-1+b1) -> rust-time (= 0.3.37-1)
git-absorb (0.6.17-2+b2) -> rust-time (= 0.3.37-1)
git-delta (0.18.2-4+b1) -> rust-time (= 0.3.37-1)
gping (1.19.0-3+b1) -> rust-time (= 0.3.37-1)
grcov (0.8.22-1+b1) -> rust-time (= 0.3.37-1)
hickory-dns (0.24.4-1+b2) -> rust-time (= 0.3.37-1)
laurel (0.7.1-1+b2) -> rust-time (= 0.3.37-1)
parsec-tool (0.7.0-7+b1) -> rust-time (= 0.3.37-1)
procs (0.14.10-2) -> rust-time (= 0.3.37-1)
prr (0.20.0-1+b3) -> rust-time (= 0.3.37-1)
rebuilderd (0.24.0-1) -> rust-time (= 0.3.37-1)
repro-env (0.4.3-2+b2) -> rust-time (= 0.3.37-1)
ripasso-cursive (0.8.0-1+b2) -> rust-time (= 0.3.37-1)
safe-vdash (0.19.3-2+b1) -> rust-time (= 0.3.37-1)
scaphandre (1.0.2-4+b1) -> rust-time (= 0.3.37-1)
speakersafetyd (1.1.2-4) -> rust-time (= 0.3.37-1)
virtiofsd (1.13.2-1+deb13u1) -> rust-time (= 0.3.37-1)
wormhole-rs (0.7.6-1) -> rust-time (= 0.3.37-1)
xh (0.24.0-1+b1) -> rust-time (= 0.3.37-1)

for Bookworm, we do not have Static-Built-Using yet, and its predecessor is
likely to be more incomplete..

thanks,
Fabian

#1128927#31
Date:
2026-05-22 21:11:13 UTC
From:
To:
Hi,

Please go ahead.

Thanks,

#1128927#38
Date:
2026-05-26 20:06:28 UTC
From:
To:
package release.debian.org
tags 1128927 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: rust-time
Version: 0.3.9-1+deb12u1

Explanation: fix denial of service [CVE-2026-25727]

#1128927#43
Date:
2026-05-26 20:06:28 UTC
From:
To:
package release.debian.org
tags 1128927 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: rust-time
Version: 0.3.9-1+deb12u1

Explanation: fix denial of service [CVE-2026-25727]