!39 Fix CVE-2025-26519

From: @swf504 
Reviewed-by: @juyin 
Signed-off-by: @juyin

0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decoder.patch

@@ -0,0 +1,38 @@
+From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Sun, 9 Feb 2025 10:07:19 -0500
+Subject: iconv: fix erroneous input validation in EUC-KR decoder
+
+as a result of incorrect bounds checking on the lead byte being
+decoded, certain invalid inputs which should produce an encoding
+error, such as "\xc8\x41", instead produced out-of-bounds loads from
+the ksc table.
+
+in a worst case, the loaded value may not be a valid unicode scalar
+value, in which case, if the output encoding was UTF-8, wctomb would
+return (size_t)-1, causing an overflow in the output pointer and
+remaining buffer size which could clobber memory outside of the output
+buffer.
+
+bug report was submitted in private by Nick Wellnhofer on account of
+potential security implications.
+---
+ src/locale/iconv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 9605c8e9..008c93f0 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 			if (c >= 93 || d >= 94) {
+ 				c += (0xa1-0x81);
+ 				d += 0xa1;
+-				if (c >= 93 || c>=0xc6-0x81 && d>0x52)
++				if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
+ 					goto ilseq;
+ 				if (d-'A'<26) d = d-'A';
+ 				else if (d-'a'<26) d = d-'a'+26;
+-- 
+cgit v1.2.1
+

0002-iconv-harden-UTF-8-output-code-path-against-input-decoder-bugs.patch

@@ -0,0 +1,36 @@
+From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 12 Feb 2025 17:06:30 -0500
+Subject: iconv: harden UTF-8 output code path against input decoder bugs
+
+the UTF-8 output code was written assuming an invariant that iconv's
+decoders only emit valid Unicode Scalar Values which wctomb can encode
+successfully, thereby always returning a value between 1 and 4.
+
+if this invariant is not satisfied, wctomb returns (size_t)-1, and the
+subsequent adjustments to the output buffer pointer and remaining
+output byte count overflow, moving the output position backwards,
+potentially past the beginning of the buffer, without storing any
+bytes.
+---
+ src/locale/iconv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 008c93f0..52178950 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 				if (*outb < k) goto toobig;
+ 				memcpy(*out, tmp, k);
+ 			} else k = wctomb_utf8(*out, c);
++			/* This failure condition should be unreachable, but
++			 * is included to prevent decoder bugs from translating
++			 * into advancement outside the output buffer range. */
++			if (k>4) goto ilseq;
+ 			*out += k;
+ 			*outb -= k;
+ 			break;
+-- 
+cgit v1.2.1
+

musl.spec

@@ -20,6 +20,10 @@
 %global _musl_target_cpu mips
 %endif
 
+%ifarch loongarch64
+%global _musl_target_cpu loongarch64
+%endif
+ 
 %ifarch ppc
 %global _musl_target_cpu powerpc
 %endif
@@ -33,7 +37,7 @@
 %endif
 %endif
  
-%ifnarch %{ix86} %{arm} %{mips} %{power64} ppc
+%ifnarch %{ix86} %{arm} %{mips} %{power64} ppc loongarch64
 %global _musl_target_cpu %{_target_cpu}
 %endif
  
@@ -45,14 +49,18 @@
 %global _includedir %{_prefix}/musl/include
 
 Name:		musl
-Version:	1.2.3
-Release:	1
+Version:	1.2.4
+Release:	4
 Summary:	An implementation of the standard library for Linux-based systems
 
 License:	MIT
-URL:		https://musl-libc.org
+URL:		https://musl.libc.org
 Source0:	%{url}/releases/%{name}-%{version}.tar.gz
 
+Patch0:	backport-musl-1.2.4-add-loongarch64-support.patch
+Patch1: 0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decoder.patch
+Patch2: 0002-iconv-harden-UTF-8-output-code-path-against-input-decoder-bugs.patch
+
 BuildRequires:	gcc
 BuildRequires:	make
 BuildRequires:	gnupg2
@@ -124,9 +132,14 @@ This package provides a wrapper around gcc to compile
 programs and libraries with musl easily.
 
 %prep
-%autosetup
+%autosetup -p1
 
 %build
+%ifarch %{power64}
+# Deal with ABI mismatch on long double between glibc and musl
+export CC="gcc -mlong-double-64"
+%endif
+
 export LDFLAGS="%{?build_ldflags} -Wl,-soname,ld-musl.so.1"
 %configure --enable-debug --enable-wrapper=gcc
 %make_build
@@ -180,6 +193,19 @@ ln -sr %{buildroot}%{_libdir}/libc.so %{buildroot}%{_libdir}/libutil.so.1
 %{_libdir}/musl-gcc.specs
 
 %changelog
+* Tue Mar 4 2025 Weifeng Su <suweifeng1@huawei.com> - 1.2.4-4
+- Fix CVE-2025-26519
+
+* Tue Jun 25 2024 wangshuo <wangshuo@kylinos.cn> - 1.2.4-3
+- Add Patch0: backport-musl-1.2.4-add-loongarch64-support.patch
+- Add _musl_target_cpu loongarch64
+
+* Thu Mar 14 2024 peng.zou <peng.zou@shingroup.cn> - 1.2.4-2
+- fix compile error about unsupported long double type in ppc64le
+
+* Tue Aug 29 2023 zhuyan <zhuyan34@huawei.com> - 1.2.4-1
+- upgrade to 1.2.4
+
 * Thu Aug 4  2022 linzhuorong <linzhuorong@huawei.com> - 1.2.3-1
 - upgrade to 1.2.3