From 17c73e0c9651fc963a977d7fd2fcd25432e43e8f Mon Sep 17 00:00:00 2001
From: fossdd <fossdd@pwned.life>
Date: Thu, 13 Feb 2025 18:22:20 +0100
Subject: [PATCH] main/musl: patch CVE-2025-26519
https://www.openwall.com/lists/musl/2025/02/13/1
---
main/musl/APKBUILD | 6 ++-
main/musl/CVE-2025-26519.patch | 78 ++++++++++++++++++++++++++++++++++
2 files changed, 83 insertions(+), 1 deletion(-)
create mode 100644 main/musl/CVE-2025-26519.patch
diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD
index c59bf3889724..262644083921 100644
--- a/main/musl/APKBUILD
+++ b/main/musl/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Timo Teräs <timo.teras@iki.fi>
pkgname=musl
pkgver=1.2.4
-pkgrel=2
+pkgrel=3
pkgdesc="the musl c library (libc) implementation"
url="https://musl.libc.org/"
arch="all"
@@ -32,6 +32,7 @@ source="musl-$_commit.tar.gz::https://git.musl-libc.org/cgit/musl/snapshot/$_com
5-dns-size.patch
6-dns-pointer.patch
remove-dns-63-records-limit.patch
+ CVE-2025-26519.patch
ldconfig
__stack_chk_fail_local.c
@@ -41,6 +42,8 @@ source="musl-$_commit.tar.gz::https://git.musl-libc.org/cgit/musl/snapshot/$_com
"
# secfixes:
+# 1.2.4-r3:
+# - CVE-2025-26519
# 1.2.2_pre2-r0:
# - CVE-2020-28928
# 1.1.23-r2:
@@ -190,6 +193,7 @@ a76f79b801497ad994746cf82bb6eaf86f9e1ae646e6819fbae8532a7f4eee53a96ac1d4e789ec8f
43ae7af80cbeba88489279e925cd88ab33999b60f75b84f91d6d753fb59473d455ba32480c6b6bbb9d8c3c303a2149b055c0bdb605c62fed8f1049987a21973f 5-dns-size.patch
c8e51e1db30e15cf7822b8ae5af3a0bdcf9ae86f086fc07e4f49b642fcc530eeb8b9c263c84e9f9c5bd1e93badf81697bf18591c0ba5b3dfb95a83ccd5861860 6-dns-pointer.patch
088620aeeea1a407a103728f839d21c10c830820e1dae970edd70282534758d7fdb6d1d2d2761ccecac7a3e56ffb79c7b7085f3fe80a01d324d7bc0d94bb15f7 remove-dns-63-records-limit.patch
+7a6a9836d2de91afc1115868e68f347bd2365fa48188e65938cfa654ae9bafdbb3a56bf12d3185a96800a85198378c8dbf9c25d977ca0e318220529fa4458123 CVE-2025-26519.patch
8d3a2d5315fc56fee7da9abb8b89bb38c6046c33d154c10d168fb35bfde6b0cf9f13042a3bceee34daf091bc409d699223735dcf19f382eeee1f6be34154f26f ldconfig
062bb49fa54839010acd4af113e20f7263dde1c8a2ca359b5fb2661ef9ed9d84a0f7c3bc10c25dcfa10bb3c5a4874588dff636ac43d5dbb3d748d75400756d0b __stack_chk_fail_local.c
0d80f37b34a35e3d14b012257c50862dfeb9d2c81139ea2dfa101d981d093b009b9fa450ba27a708ac59377a48626971dfc58e20a3799084a65777a0c32cbc7d getconf.c
diff --git a/main/musl/CVE-2025-26519.patch b/main/musl/CVE-2025-26519.patch
new file mode 100644
index 000000000000..8d5ba6cc8390
--- /dev/null
+++ b/main/musl/CVE-2025-26519.patch
@@ -0,0 +1,78 @@
+Patch-Source: https://www.openwall.com/lists/musl/2025/02/13/1
+---
+>From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Sun, 9 Feb 2025 10:07:19 -0500
+Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
+
+as a result of incorrect bounds checking on the lead byte being
+decoded, certain invalid inputs which should produce an encoding
+error, such as "\xc8\x41", instead produced out-of-bounds loads from
+the ksc table.
+
+in a worst case, the loaded value may not be a valid unicode scalar
+value, in which case, if the output encoding was UTF-8, wctomb would
+return (size_t)-1, causing an overflow in the output pointer and
+remaining buffer size which could clobber memory outside of the output
+buffer.
+
+bug report was submitted in private by Nick Wellnhofer on account of
+potential security implications.
+---
+ src/locale/iconv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 9605c8e9..008c93f0 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ if (c >= 93 || d >= 94) {
+ c += (0xa1-0x81);
+ d += 0xa1;
+- if (c >= 93 || c>=0xc6-0x81 && d>0x52)
++ if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
+ goto ilseq;
+ if (d-'A'<26) d = d-'A';
+ else if (d-'a'<26) d = d-'a'+26;
+--
+2.21.0
+
+>From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 12 Feb 2025 17:06:30 -0500
+Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
+ bugs
+
+the UTF-8 output code was written assuming an invariant that iconv's
+decoders only emit valid Unicode Scalar Values which wctomb can encode
+successfully, thereby always returning a value between 1 and 4.
+
+if this invariant is not satisfied, wctomb returns (size_t)-1, and the
+subsequent adjustments to the output buffer pointer and remaining
+output byte count overflow, moving the output position backwards,
+potentially past the beginning of the buffer, without storing any
+bytes.
+---
+ src/locale/iconv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 008c93f0..52178950 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ if (*outb < k) goto toobig;
+ memcpy(*out, tmp, k);
+ } else k = wctomb_utf8(*out, c);
++ /* This failure condition should be unreachable, but
++ * is included to prevent decoder bugs from translating
++ * into advancement outside the output buffer range. */
++ if (k>4) goto ilseq;
+ *out += k;
+ *outb -= k;
+ break;
+--
+2.21.0
+
+
--
GitLab