system/musl: [CVE] Patch for CVE-2025-26519HEADcurrent

3 files changed, 83 insertions, 1 deletions

diff --git a/system/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch b/system/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
new file mode 100644
index 000000000..ff92d8ef9
--- /dev/null
+++ b/system/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
@@ -0,0 +1,38 @@
+From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Sun, 9 Feb 2025 10:07:19 -0500
+Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
+
+as a result of incorrect bounds checking on the lead byte being
+decoded, certain invalid inputs which should produce an encoding
+error, such as "\xc8\x41", instead produced out-of-bounds loads from
+the ksc table.
+
+in a worst case, the loaded value may not be a valid unicode scalar
+value, in which case, if the output encoding was UTF-8, wctomb would
+return (size_t)-1, causing an overflow in the output pointer and
+remaining buffer size which could clobber memory outside of the output
+buffer.
+
+bug report was submitted in private by Nick Wellnhofer on account of
+potential security implications.
+---
+ src/locale/iconv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 9605c8e9..008c93f0 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 			if (c >= 93 || d >= 94) {
+ 				c += (0xa1-0x81);
+ 				d += 0xa1;
+-				if (c >= 93 || c>=0xc6-0x81 && d>0x52)
++				if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
+ 					goto ilseq;
+ 				if (d-'A'<26) d = d-'A';
+ 				else if (d-'a'<26) d = d-'a'+26;
+-- 
+2.21.0
+
diff --git a/system/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch b/system/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch
new file mode 100644
index 000000000..d66e66e3f
--- /dev/null
+++ b/system/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch
@@ -0,0 +1,37 @@
+From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 12 Feb 2025 17:06:30 -0500
+Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
+ bugs
+
+the UTF-8 output code was written assuming an invariant that iconv's
+decoders only emit valid Unicode Scalar Values which wctomb can encode
+successfully, thereby always returning a value between 1 and 4.
+
+if this invariant is not satisfied, wctomb returns (size_t)-1, and the
+subsequent adjustments to the output buffer pointer and remaining
+output byte count overflow, moving the output position backwards,
+potentially past the beginning of the buffer, without storing any
+bytes.
+---
+ src/locale/iconv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 008c93f0..52178950 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 				if (*outb < k) goto toobig;
+ 				memcpy(*out, tmp, k);
+ 			} else k = wctomb_utf8(*out, c);
++			/* This failure condition should be unreachable, but
++			 * is included to prevent decoder bugs from translating
++			 * into advancement outside the output buffer range. */
++			if (k>4) goto ilseq;
+ 			*out += k;
+ 			*outb -= k;
+ 			break;
+-- 
+2.21.0
+
diff --git a/system/musl/APKBUILD b/system/musl/APKBUILD
index a8e6c7daa..5951328a1 100644
--- a/system/musl/APKBUILD
+++ b/system/musl/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=musl
 pkgver=1.2.3
-pkgrel=2
+pkgrel=3
 pkgdesc="System library (libc) implementation"
 url="https://www.musl-libc.org/"
 arch="all"
@@ -30,6 +30,9 @@ source="https://musl.libc.org/releases/musl-${pkgver}.tar.gz
 	realpath.patch
 	signed-wchar_t-fixes.patch
 
+	0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
+	0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch
+
 	ldconfig
 	getent.c
 	iconv.c
@@ -42,6 +45,8 @@ source="https://musl.libc.org/releases/musl-${pkgver}.tar.gz
 #     - CVE-2019-14697
 #   1.2.0-r2:
 #     - CVE-2020-28928
+#   1.2.3-r3:
+#     - CVE-2025-26519
 
 build() {
 	[ "$BOOTSTRAP" = "nocc" ] && return 0
@@ -129,6 +134,8 @@ ded41235148930f8cf781538f7d63ecb0c65ea4e8ce792565f3649ee2523592a76b2a166785f0b14
 96d88bb9c03f6eddcfc22cbd04efa73535f4ab78409954a042a2e08294cc8df1fb2cb0475eadb92a7fa281229abaa600f034d3ef08e918c6016dbf9be1db28d9  ppc-hwcap.patch
 d5ec3f1a86f2194e0af83c2391508811b939d0f8f2fd2ac5ac7f03774f8a250ce42399110d2ae04d32b864ee292863fed683a029b64598dbbcb21d9811a825d0  realpath.patch
 3770af3bc961e5d5b8c152c428cd20dc54e026b23b31d764fbc2e71ee38140d160db2267755f23800bc8586fd4b51554b1caebb2415bef82fd0f4a6dd8bf640d  signed-wchar_t-fixes.patch
+a69f77c4b4c7fefb543f5a1678f981b001c35cdb4c0bb2dfb56548eebc88e725330b9961a5435d11e6e1e3185b508f1fd5bf72e6aa67b708a8e8186c4b33392a  0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
+c4777d653007ea3e2af5e3edf7804e5b5562823e41543991b7c04843203a6e93c1e1e2c63b178c8ed2f89411040230268d8a83ebc3018ad199aad958587c0faf  0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch
 cb71d29a87f334c75ecbc911becde7be825ab30d8f39fa6d64cb53812a7c9abaf91d9804c72540e5be3ddd3c84cfe7fd9632274309005cb8bcdf9a9b09b4b923  ldconfig
 378d70e65bcc65bb4e1415354cecfa54b0c1146dfb24474b69e418cdbf7ad730472cd09f6f103e1c99ba6c324c9560bccdf287f5889bbc3ef0bdf0e08da47413  getent.c
 9d42d66fb1facce2b85dad919be5be819ee290bd26ca2db00982b2f8e055a0196290a008711cbe2b18ec9eee8d2270e3b3a4692c5a1b807013baa5c2b70a2bbf  iconv.c"