Compare commits
11 Commits
9b610648bf
...
e8adbb7b1b
| Author | SHA1 | Date | |
|---|---|---|---|
|
e8adbb7b1b | ||
|
|
8d859a4e26 | ||
|
|
658f07fef6 | ||
|
|
db1f2cc049 | ||
|
|
8967b38483 | ||
|
|
7eea174541 | ||
|
|
ac3e754a99 | ||
|
|
2484de63a2 | ||
|
|
e11ab5aa25 | ||
|
|
92a1ae0f2c | ||
|
|
5dbbf3e663 |
@ -0,0 +1,38 @@
|
||||
From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
|
||||
From: Rich Felker <dalias@aerifal.cx>
|
||||
Date: Sun, 9 Feb 2025 10:07:19 -0500
|
||||
Subject: iconv: fix erroneous input validation in EUC-KR decoder
|
||||
|
||||
as a result of incorrect bounds checking on the lead byte being
|
||||
decoded, certain invalid inputs which should produce an encoding
|
||||
error, such as "\xc8\x41", instead produced out-of-bounds loads from
|
||||
the ksc table.
|
||||
|
||||
in a worst case, the loaded value may not be a valid unicode scalar
|
||||
value, in which case, if the output encoding was UTF-8, wctomb would
|
||||
return (size_t)-1, causing an overflow in the output pointer and
|
||||
remaining buffer size which could clobber memory outside of the output
|
||||
buffer.
|
||||
|
||||
bug report was submitted in private by Nick Wellnhofer on account of
|
||||
potential security implications.
|
||||
---
|
||||
src/locale/iconv.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/locale/iconv.c b/src/locale/iconv.c
|
||||
index 9605c8e9..008c93f0 100644
|
||||
--- a/src/locale/iconv.c
|
||||
+++ b/src/locale/iconv.c
|
||||
@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
|
||||
if (c >= 93 || d >= 94) {
|
||||
c += (0xa1-0x81);
|
||||
d += 0xa1;
|
||||
- if (c >= 93 || c>=0xc6-0x81 && d>0x52)
|
||||
+ if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
|
||||
goto ilseq;
|
||||
if (d-'A'<26) d = d-'A';
|
||||
else if (d-'a'<26) d = d-'a'+26;
|
||||
--
|
||||
cgit v1.2.1
|
||||
|
||||
@ -0,0 +1,36 @@
|
||||
From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
|
||||
From: Rich Felker <dalias@aerifal.cx>
|
||||
Date: Wed, 12 Feb 2025 17:06:30 -0500
|
||||
Subject: iconv: harden UTF-8 output code path against input decoder bugs
|
||||
|
||||
the UTF-8 output code was written assuming an invariant that iconv's
|
||||
decoders only emit valid Unicode Scalar Values which wctomb can encode
|
||||
successfully, thereby always returning a value between 1 and 4.
|
||||
|
||||
if this invariant is not satisfied, wctomb returns (size_t)-1, and the
|
||||
subsequent adjustments to the output buffer pointer and remaining
|
||||
output byte count overflow, moving the output position backwards,
|
||||
potentially past the beginning of the buffer, without storing any
|
||||
bytes.
|
||||
---
|
||||
src/locale/iconv.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/locale/iconv.c b/src/locale/iconv.c
|
||||
index 008c93f0..52178950 100644
|
||||
--- a/src/locale/iconv.c
|
||||
+++ b/src/locale/iconv.c
|
||||
@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
|
||||
if (*outb < k) goto toobig;
|
||||
memcpy(*out, tmp, k);
|
||||
} else k = wctomb_utf8(*out, c);
|
||||
+ /* This failure condition should be unreachable, but
|
||||
+ * is included to prevent decoder bugs from translating
|
||||
+ * into advancement outside the output buffer range. */
|
||||
+ if (k>4) goto ilseq;
|
||||
*out += k;
|
||||
*outb -= k;
|
||||
break;
|
||||
--
|
||||
cgit v1.2.1
|
||||
|
||||
Binary file not shown.
BIN
musl-1.2.3.tar.gz
Normal file
BIN
musl-1.2.3.tar.gz
Normal file
Binary file not shown.
27
musl.spec
27
musl.spec
@ -45,14 +45,17 @@
|
||||
%global _includedir %{_prefix}/musl/include
|
||||
|
||||
Name: musl
|
||||
Version: 1.2.2
|
||||
Release: 2
|
||||
Version: 1.2.3
|
||||
Release: 3
|
||||
Summary: An implementation of the standard library for Linux-based systems
|
||||
|
||||
License: MIT
|
||||
URL: https://musl-libc.org
|
||||
URL: https://musl.libc.org
|
||||
Source0: %{url}/releases/%{name}-%{version}.tar.gz
|
||||
|
||||
Patch0001: 0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decoder.patch
|
||||
Patch0002: 0002-iconv-harden-UTF-8-output-code-path-against-input-decoder-bugs.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
BuildRequires: gnupg2
|
||||
@ -124,9 +127,14 @@ This package provides a wrapper around gcc to compile
|
||||
programs and libraries with musl easily.
|
||||
|
||||
%prep
|
||||
%autosetup
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
%ifarch %{power64}
|
||||
# Deal with ABI mismatch on long double between glibc and musl
|
||||
export CC="gcc -mlong-double-64"
|
||||
%endif
|
||||
|
||||
export LDFLAGS="%{?build_ldflags} -Wl,-soname,ld-musl.so.1"
|
||||
%configure --enable-debug --enable-wrapper=gcc
|
||||
%make_build
|
||||
@ -180,13 +188,22 @@ ln -sr %{buildroot}%{_libdir}/libc.so %{buildroot}%{_libdir}/libutil.so.1
|
||||
%{_libdir}/musl-gcc.specs
|
||||
|
||||
%changelog
|
||||
* Tue Mar 4 2025 Weifeng Su <suweifeng1@huawei.com> - 1.2.3-3
|
||||
- Fix CVE-2025-26519
|
||||
|
||||
* Thu Mar 14 2024 peng.zou <peng.zou@shingroup.cn> - 1.2.3-2
|
||||
- fix compile error about unsupported long double type in ppc64le
|
||||
|
||||
* Thu Aug 4 2022 linzhuorong <linzhuorong@huawei.com> - 1.2.3-1
|
||||
- upgrade to 1.2.3
|
||||
|
||||
* Mon Oct 25 2021 zhuyan <zhuyan34@huawei.com> - 1.2.2-2
|
||||
- fix compile error
|
||||
|
||||
* Fri Sep 24 2021 zhuyan <zhuyan34@huawei.com> - 1.2.2-1
|
||||
- upgrade to 1.2.2
|
||||
|
||||
* Tue Aug 19 2021 zhuyan <zhuyan34@huawei.com> - 1.2.0-3
|
||||
* Thu Aug 19 2021 zhuyan <zhuyan34@huawei.com> - 1.2.0-3
|
||||
- fix CVE-2020-28928
|
||||
|
||||
* Tue May 11 2021 Jiajie Li <lijiajie11@huawei.com> - 1.2.0-2
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user