packages/musl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2025-26519

Browse Source 
Signed-off-by: Weifeng Su <suweifeng1@huawei.com>
(cherry picked from commit 6b65aa1f8bec03113a35a567413114e4b480b992)
This commit is contained in:
Weifeng Su 2025-03-04 03:13:01 +00:00 committed by openeuler-sync-bot
parent db1f2cc049
commit 658f07fef6
3 changed files with 82 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decoder.patch Normal file
View File

@ -0,0 +1,38 @@
From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Sun, 9 Feb 2025 10:07:19 -0500
Subject: iconv: fix erroneous input validation in EUC-KR decoder
as a result of incorrect bounds checking on the lead byte being
decoded, certain invalid inputs which should produce an encoding
error, such as "\xc8\x41", instead produced out-of-bounds loads from
the ksc table.
in a worst case, the loaded value may not be a valid unicode scalar
value, in which case, if the output encoding was UTF-8, wctomb would
return (size_t)-1, causing an overflow in the output pointer and
remaining buffer size which could clobber memory outside of the output
buffer.
bug report was submitted in private by Nick Wellnhofer on account of
potential security implications.
---
src/locale/iconv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/locale/iconv.c b/src/locale/iconv.c
index 9605c8e9..008c93f0 100644
--- a/src/locale/iconv.c
+++ b/src/locale/iconv.c
@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
if (c >= 93 || d >= 94) {
c += (0xa1-0x81);
d += 0xa1;
- if (c >= 93 || c>=0xc6-0x81 && d>0x52)
+ if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
goto ilseq;
if (d-'A'<26) d = d-'A';
else if (d-'a'<26) d = d-'a'+26;
--
cgit v1.2.1

36
0002-iconv-harden-UTF-8-output-code-path-against-input-decoder-bugs.patch Normal file
View File

@ -0,0 +1,36 @@
From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Wed, 12 Feb 2025 17:06:30 -0500
Subject: iconv: harden UTF-8 output code path against input decoder bugs
the UTF-8 output code was written assuming an invariant that iconv's
decoders only emit valid Unicode Scalar Values which wctomb can encode
successfully, thereby always returning a value between 1 and 4.
if this invariant is not satisfied, wctomb returns (size_t)-1, and the
subsequent adjustments to the output buffer pointer and remaining
output byte count overflow, moving the output position backwards,
potentially past the beginning of the buffer, without storing any
bytes.
---
src/locale/iconv.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/locale/iconv.c b/src/locale/iconv.c
index 008c93f0..52178950 100644
--- a/src/locale/iconv.c
+++ b/src/locale/iconv.c
@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
if (*outb < k) goto toobig;
memcpy(*out, tmp, k);
} else k = wctomb_utf8(*out, c);
+ /* This failure condition should be unreachable, but
+ * is included to prevent decoder bugs from translating
+ * into advancement outside the output buffer range. */
+ if (k>4) goto ilseq;
*out += k;
*outb -= k;
break;
--
cgit v1.2.1

10
musl.spec
View File

@ -46,13 +46,16 @@
Name: musl
Version: 1.2.3
Release: 2
Release: 3
Summary: An implementation of the standard library for Linux-based systems
License: MIT
URL: https://musl.libc.org
Source0: %{url}/releases/%{name}-%{version}.tar.gz
Patch0001: 0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decoder.patch
Patch0002: 0002-iconv-harden-UTF-8-output-code-path-against-input-decoder-bugs.patch
BuildRequires: gcc
BuildRequires: make
BuildRequires: gnupg2
@ -124,7 +127,7 @@ This package provides a wrapper around gcc to compile
programs and libraries with musl easily.
%prep
%autosetup
%autosetup -p1
%build
%ifarch %{power64}
@ -185,6 +188,9 @@ ln -sr %{buildroot}%{_libdir}/libc.so %{buildroot}%{_libdir}/libutil.so.1
%{_libdir}/musl-gcc.specs
%changelog
* Tue Mar 4 2025 Weifeng Su <suweifeng1@huawei.com> - 1.2.3-3
- Fix CVE-2025-26519
* Thu Mar 14 2024 peng.zou <peng.zou@shingroup.cn> - 1.2.3-2
- fix compile error about unsupported long double type in ppc64le