time Stack Exhaustion Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the time library for Rust, specifically in versions 0.3.6 prior to 0.3.47. The issue arises when user input is parsed using the RFC 2822 format, leading to stack exhaustion. This vulnerability exploits deprecated features of RFC 2822 in a malicious way, causing unbounded recursion. However, typical, non-malicious input would not trigger this problem. The vulnerability can be reproduced by providing carefully crafted input that takes advantage of these deprecated RFC 2822 features, causing the parser to enter a deep recursive loop that exhausts the stack.

Impact

Exploitation of this vulnerability leads to stack exhaustion, causing a denial-of-service condition where the application runs out of stack space and can no longer function properly.

Reproduction

To reproduce this vulnerability, input must be crafted that uses deprecated features of the RFC 2822 format in a way that causes unbounded recursion. This can be done by nesting comments within the input, as the parser will recursively process these comments without a depth limit, eventually exhausting the stack.

Remediation

The vulnerability has been patched in version 0.3.47 of the time library, which includes a limit on the depth of recursion when parsing RFC 2822. Users should update to this version to address the vulnerability.