musl: patch CVE-2025-26519

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26519 Pick the patches that are attached to the musl advisory: https://www.openwall.com/lists/musl/2025/02/13/1 (From OE-Core rev: e1c1b4b5100e08b63a2e6e5ff608f79e7b202649) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2025-11-19 13:42:58 +0100
committer: Steve Sakoman <steve@sakoman.com> 2025-11-24 06:57:39 -0800
commit: 9734a9147239d630882d73a05781e96bc09f0e7d (patch)
tree: 843f971b6042dc23e3ada4ca655ad93025637610 /meta
parent: 42d2a2e8cd33b6f12c4ad68c540fee6e409bad52 (diff)
download: poky-9734a9147239d630882d73a05781e96bc09f0e7d.tar.gz
3 files changed, 80 insertions, 1 deletions
diff --git a/meta/recipes-core/musl/musl/CVE-2025-26519-1.patch b/meta/recipes-core/musl/musl/CVE-2025-26519-1.patch
new file mode 100644
index 0000000000..a9ea3b4149
--- /dev/null
+++ b/meta/recipes-core/musl/musl/CVE-2025-26519-1.patch
@@ -0,0 +1,39 @@
+From 345d2a053c32f3443dbfdd313f49346ce30b92f8 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 19 Nov 2025 13:23:38 +0100
+Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
+as a result of incorrect bounds checking on the lead byte being
+decoded, certain invalid inputs which should produce an encoding
+error, such as "\xc8\x41", instead produced out-of-bounds loads from
+the ksc table.
+in a worst case, the loaded value may not be a valid unicode scalar
+value, in which case, if the output encoding was UTF-8, wctomb would
+return (size_t)-1, causing an overflow in the output pointer and
+remaining buffer size which could clobber memory outside of the output
+buffer.
+bug report was submitted in private by Nick Wellnhofer on account of
+potential security implications.
+CVE: CVE-2025-26519
+Upstream-Status: Backport [https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/locale/iconv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 3047c27b..1fb66bc8 100644
+--- a/src/locale/iconv.c
+++ b/src/locale/iconv.c
+@@ -495,7 +495,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+                        if (c >= 93 || d >= 94) {
+                                c += (0xa1-0x81);
+                                d += 0xa1;
+-                               if (c >= 93 || c>=0xc6-0x81 && d>0x52)
+                               if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
+                                        goto ilseq;
+                                if (d-'A'<26) d = d-'A';
+                                else if (d-'a'<26) d = d-'a'+26;
diff --git a/meta/recipes-core/musl/musl/CVE-2025-26519-2.patch b/meta/recipes-core/musl/musl/CVE-2025-26519-2.patch
new file mode 100644
index 0000000000..82a09af535
--- /dev/null
+++ b/meta/recipes-core/musl/musl/CVE-2025-26519-2.patch
@@ -0,0 +1,38 @@
+From b81230050f6c3348038fe470d260028824b9a9e5 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 19 Nov 2025 13:27:15 +0100
+Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
+ bugs
+the UTF-8 output code was written assuming an invariant that iconv's
+decoders only emit valid Unicode Scalar Values which wctomb can encode
+successfully, thereby always returning a value between 1 and 4.
+if this invariant is not satisfied, wctomb returns (size_t)-1, and the
+subsequent adjustments to the output buffer pointer and remaining
+output byte count overflow, moving the output position backwards,
+potentially past the beginning of the buffer, without storing any
+bytes.
+CVE: CVE-2025-26519
+Upstream-Status: Backport [https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/locale/iconv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 1fb66bc8..fb1d3217 100644
+--- a/src/locale/iconv.c
+++ b/src/locale/iconv.c
+@@ -538,6 +538,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+                                if (*outb < k) goto toobig;
+                                memcpy(*out, tmp, k);
+                        } else k = wctomb_utf8(*out, c);
+                       /* This failure condition should be unreachable, but
+                        * is included to prevent decoder bugs from translating
+                        * into advancement outside the output buffer range. */
+                       if (k>4) goto ilseq;
+                        *out += k;
+                        *outb -= k;
+                        break;
diff --git a/meta/recipes-core/musl/musl_git.bb b/meta/recipes-core/musl/musl_git.bb
index 4b85401360..f24da3b2cb 100644
--- a/meta/recipes-core/musl/musl_git.bb
+++ b/meta/recipes-core/musl/musl_git.bb
@@ -15,7 +15,9 @@ PV = "${BASEVER}+git${SRCPV}"
 SRC_URI = "git://git.musl-libc.org/musl;branch=master \
           file://0001-Make-dynamic-linker-a-relative-symlink-to-libc.patch \
           file://0002-ldso-Use-syslibdir-and-libdir-as-default-pathes-to-l.patch \
-          "
+           file://CVE-2025-26519-1.patch \
+           file://CVE-2025-26519-2.patch \
+           "
 S = "${WORKDIR}/git"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2025-11-19 13:42:58 +0100
committer	Steve Sakoman <steve@sakoman.com>	2025-11-24 06:57:39 -0800
commit	9734a9147239d630882d73a05781e96bc09f0e7d (patch)
tree	843f971b6042dc23e3ada4ca655ad93025637610 /meta
parent	42d2a2e8cd33b6f12c4ad68c540fee6e409bad52 (diff)
download	poky-9734a9147239d630882d73a05781e96bc09f0e7d.tar.gz

diff --git a/meta/recipes-core/musl/musl/CVE-2025-26519-1.patch b/meta/recipes-core/musl/musl/CVE-2025-26519-1.patch new file mode 100644 index 0000000000..a9ea3b4149 --- /dev/null +++ b/meta/recipes-core/musl/musl/CVE-2025-26519-1.patch
@@ -0,0 +1,39 @@
		1	From 345d2a053c32f3443dbfdd313f49346ce30b92f8 Mon Sep 17 00:00:00 2001
		2	From: Rich Felker <dalias@aerifal.cx>
		3	Date: Wed, 19 Nov 2025 13:23:38 +0100
		4	Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
		5
		6	as a result of incorrect bounds checking on the lead byte being
		7	decoded, certain invalid inputs which should produce an encoding
		8	error, such as "\xc8\x41", instead produced out-of-bounds loads from
		9	the ksc table.
		10
		11	in a worst case, the loaded value may not be a valid unicode scalar
		12	value, in which case, if the output encoding was UTF-8, wctomb would
		13	return (size_t)-1, causing an overflow in the output pointer and
		14	remaining buffer size which could clobber memory outside of the output
		15	buffer.
		16
		17	bug report was submitted in private by Nick Wellnhofer on account of
		18	potential security implications.
		19
		20	CVE: CVE-2025-26519
		21	Upstream-Status: Backport [https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659]
		22	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		23	---
		24	src/locale/iconv.c \| 2 +-
		25	1 file changed, 1 insertion(+), 1 deletion(-)
		26
		27	diff --git a/src/locale/iconv.c b/src/locale/iconv.c
		28	index 3047c27b..1fb66bc8 100644
		29	--- a/src/locale/iconv.c
		30	+++ b/src/locale/iconv.c
		31	@@ -495,7 +495,7 @@ size_t iconv(iconv_t cd, char *restrict in, size_t restrict inb, char **restri
		32	if (c >= 93 \|\| d >= 94) {
		33	c += (0xa1-0x81);
		34	d += 0xa1;
		35	- if (c >= 93 \|\| c>=0xc6-0x81 && d>0x52)
		36	+ if (c > 0xc6-0x81 \|\| c==0xc6-0x81 && d>0x52)
		37	goto ilseq;
		38	if (d-'A'<26) d = d-'A';
		39	else if (d-'a'<26) d = d-'a'+26;


diff --git a/meta/recipes-core/musl/musl/CVE-2025-26519-2.patch b/meta/recipes-core/musl/musl/CVE-2025-26519-2.patch new file mode 100644 index 0000000000..82a09af535 --- /dev/null +++ b/meta/recipes-core/musl/musl/CVE-2025-26519-2.patch
@@ -0,0 +1,38 @@
		1	From b81230050f6c3348038fe470d260028824b9a9e5 Mon Sep 17 00:00:00 2001
		2	From: Rich Felker <dalias@aerifal.cx>
		3	Date: Wed, 19 Nov 2025 13:27:15 +0100
		4	Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
		5	bugs
		6
		7	the UTF-8 output code was written assuming an invariant that iconv's
		8	decoders only emit valid Unicode Scalar Values which wctomb can encode
		9	successfully, thereby always returning a value between 1 and 4.
		10
		11	if this invariant is not satisfied, wctomb returns (size_t)-1, and the
		12	subsequent adjustments to the output buffer pointer and remaining
		13	output byte count overflow, moving the output position backwards,
		14	potentially past the beginning of the buffer, without storing any
		15	bytes.
		16
		17	CVE: CVE-2025-26519
		18	Upstream-Status: Backport [https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da]
		19	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		20	---
		21	src/locale/iconv.c \| 4 ++++
		22	1 file changed, 4 insertions(+)
		23
		24	diff --git a/src/locale/iconv.c b/src/locale/iconv.c
		25	index 1fb66bc8..fb1d3217 100644
		26	--- a/src/locale/iconv.c
		27	+++ b/src/locale/iconv.c
		28	@@ -538,6 +538,10 @@ size_t iconv(iconv_t cd, char *restrict in, size_t restrict inb, char **restri
		29	if (*outb < k) goto toobig;
		30	memcpy(*out, tmp, k);
		31	} else k = wctomb_utf8(*out, c);
		32	+ /* This failure condition should be unreachable, but
		33	+ * is included to prevent decoder bugs from translating
		34	+ * into advancement outside the output buffer range. */
		35	+ if (k>4) goto ilseq;
		36	*out += k;
		37	*outb -= k;
		38	break;


diff --git a/meta/recipes-core/musl/musl_git.bb b/meta/recipes-core/musl/musl_git.bb index 4b85401360..f24da3b2cb 100644 --- a/meta/recipes-core/musl/musl_git.bb +++ b/meta/recipes-core/musl/musl_git.bb
@@ -15,7 +15,9 @@ PV = "${BASEVER}+git${SRCPV}"
15	SRC_URI = "git://git.musl-libc.org/musl;branch=master \	15	SRC_URI = "git://git.musl-libc.org/musl;branch=master \
16	file://0001-Make-dynamic-linker-a-relative-symlink-to-libc.patch \	16	file://0001-Make-dynamic-linker-a-relative-symlink-to-libc.patch \
17	file://0002-ldso-Use-syslibdir-and-libdir-as-default-pathes-to-l.patch \	17	file://0002-ldso-Use-syslibdir-and-libdir-as-default-pathes-to-l.patch \
18	"	18	file://CVE-2025-26519-1.patch \
		19	file://CVE-2025-26519-2.patch \
		20	"
19		21
20	S = "${WORKDIR}/git"	22	S = "${WORKDIR}/git"
21		23