Update to musl 1.2.5. #557
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
See the WHATSNEW file for details.
Revert musl patches: - 246f1c811448f37a44b41cd8df8d0ef9736d95f4 - 25e6fee27f4a293728dd15b659170e7b9c7db9bc - 7c41047285a24a97e700b4fb5b6b69f4505e2d82 - 718f363bc2067b6487900eddc9180c84e7739f80 In upstream musl, these patches replace the explicit LFS64 symbols with dynamic linker symbol lookups, which wasi-libc doesn't have. To preserve compatibility with existing code using these symbols, revert these patches in wasi-libc.
Backport another part of the revert of 25e6fee27f4a293728dd15b659170e7b9c7db9bc.
sunfishcode
force-pushed
the
sunfishcode/update-musl
branch
from
4776399 to
bd61b62
Compare
Apply the [first patch] to fix CVE-2025-26519: >From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001 From: Rich Felker <[email protected]> Date: Sun, 9 Feb 2025 10:07:19 -0500 Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder as a result of incorrect bounds checking on the lead byte being decoded, certain invalid inputs which should produce an encoding error, such as "\xc8\x41", instead produced out-of-bounds loads from the ksc table. in a worst case, the loaded value may not be a valid unicode scalar value, in which case, if the output encoding was UTF-8, wctomb would return (size_t)-1, causing an overflow in the output pointer and remaining buffer size which could clobber memory outside of the output buffer. bug report was submitted in private by Nick Wellnhofer on account of potential security implications. [first patch]: https://www.openwall.com/lists/musl/2025/02/13/1/1
Apply the [second patch] to fix CVE-2025-26519: >From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001 From: Rich Felker <[email protected]> Date: Wed, 12 Feb 2025 17:06:30 -0500 Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder bugs the UTF-8 output code was written assuming an invariant that iconv's decoders only emit valid Unicode Scalar Values which wctomb can encode successfully, thereby always returning a value between 1 and 4. if this invariant is not satisfied, wctomb returns (size_t)-1, and the subsequent adjustments to the output buffer pointer and remaining output byte count overflow, moving the output position backwards, potentially past the beginning of the buffer, without storing any bytes. [second patch]: https://www.openwall.com/lists/musl/2025/02/13/1/2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See the WHATSNEW file for details.