Update musl-wrapper version to 1.2.5 and apply CVE patch (#627)

crazywhalecc · web-flow · commit d643051759e0 · 2025-03-13T11:11:58.000+08:00
diff --git a/src/SPC/doctor/item/LinuxMuslCheck.php b/src/SPC/doctor/item/LinuxMuslCheck.php
@@ -15,6 +15,7 @@
 use SPC\store\Downloader;
 use SPC\store\FileSystem;
 use SPC\store\PackageManager;
+use SPC\store\SourcePatcher;
 
 class LinuxMuslCheck
 {
@@ -63,14 +64,18 @@ public function fixMusl(): bool
                 logger()->warning('Current user is not root, using sudo for running command');
             }
             // The hardcoded version here is to be consistent with the version compiled by `musl-cross-toolchain`.
-            $musl_version_name = 'musl-1.2.4';
+            $musl_version_name = 'musl-1.2.5';
             $musl_source = [
                 'type' => 'url',
                 'url' => "https://musl.libc.org/releases/{$musl_version_name}.tar.gz",
             ];
             logger()->info('Downloading ' . $musl_source['url']);
             Downloader::downloadSource($musl_version_name, $musl_source);
             FileSystem::extractSource($musl_version_name, DOWNLOAD_PATH . "/{$musl_version_name}.tar.gz");
+
+            // Apply CVE-2025-26519 patch
+            SourcePatcher::patchFile('musl-1.2.5_CVE-2025-26519_0001.patch', SOURCE_PATH . "/{$musl_version_name}");
+            SourcePatcher::patchFile('musl-1.2.5_CVE-2025-26519_0002.patch', SOURCE_PATH . "/{$musl_version_name}");
             logger()->info('Installing musl wrapper');
             shell()->cd(SOURCE_PATH . "/{$musl_version_name}")
                 ->exec('CC=gcc CXX=g++ AR=ar LD=ld ./configure --disable-gcc-wrapper')
@@ -98,6 +103,7 @@ public function fixMuslCrossMake(): bool
                 logger()->warning('Current user is not root, using sudo for running command');
             }
             $arch = arch2gnu(php_uname('m'));
+            logger()->info("Downloading package musl-toolchain-{$arch}-linux");
             PackageManager::installPackage("musl-toolchain-{$arch}-linux");
             $pkg_root = PKG_ROOT_PATH . "/musl-toolchain-{$arch}-linux";
             shell()->exec("{$prefix}cp -rf {$pkg_root}/* /usr/local/musl");
diff --git a/src/globals/patch/musl-1.2.5_CVE-2025-26519_0001.patch b/src/globals/patch/musl-1.2.5_CVE-2025-26519_0001.patch
@@ -0,0 +1,37 @@
+>From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Sun, 9 Feb 2025 10:07:19 -0500
+Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
+
+as a result of incorrect bounds checking on the lead byte being
+decoded, certain invalid inputs which should produce an encoding
+error, such as "\xc8\x41", instead produced out-of-bounds loads from
+the ksc table.
+
+in a worst case, the loaded value may not be a valid unicode scalar
+value, in which case, if the output encoding was UTF-8, wctomb would
+return (size_t)-1, causing an overflow in the output pointer and
+remaining buffer size which could clobber memory outside of the output
+buffer.
+
+bug report was submitted in private by Nick Wellnhofer on account of
+potential security implications.
+---
+ src/locale/iconv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 9605c8e9..008c93f0 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 			if (c >= 93 || d >= 94) {
+ 				c += (0xa1-0x81);
+ 				d += 0xa1;
+-				if (c >= 93 || c>=0xc6-0x81 && d>0x52)
++				if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
+ 					goto ilseq;
+ 				if (d-'A'<26) d = d-'A';
+ 				else if (d-'a'<26) d = d-'a'+26;
+--
+2.21.0
diff --git a/src/globals/patch/musl-1.2.5_CVE-2025-26519_0002.patch b/src/globals/patch/musl-1.2.5_CVE-2025-26519_0002.patch
@@ -0,0 +1,36 @@
+>From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 12 Feb 2025 17:06:30 -0500
+Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
+ bugs
+
+the UTF-8 output code was written assuming an invariant that iconv's
+decoders only emit valid Unicode Scalar Values which wctomb can encode
+successfully, thereby always returning a value between 1 and 4.
+
+if this invariant is not satisfied, wctomb returns (size_t)-1, and the
+subsequent adjustments to the output buffer pointer and remaining
+output byte count overflow, moving the output position backwards,
+potentially past the beginning of the buffer, without storing any
+bytes.
+---
+ src/locale/iconv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 008c93f0..52178950 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 				if (*outb < k) goto toobig;
+ 				memcpy(*out, tmp, k);
+ 			} else k = wctomb_utf8(*out, c);
++			/* This failure condition should be unreachable, but
++			 * is included to prevent decoder bugs from translating
++			 * into advancement outside the output buffer range. */
++			if (k>4) goto ilseq;
+ 			*out += k;
+ 			*outb -= k;
+ 			break;
+--
+2.21.0
diff --git a/src/globals/test-extensions.php b/src/globals/test-extensions.php
@@ -13,6 +13,8 @@
 
 // test php version
 $test_php_version = [
+    '8.1',
+    '8.2',
     '8.3',
     '8.4',
 ];
