Update the Static SDK for Linux

Updated the versions of:

- libxml2 (2.14.5)
- curl (8.15.0)
- BoringSSL (newer SHA)

and added:

- bzip2 (1.0.8)
- xz-utils (5.8.1)
- libarchive (3.8.1)
- mimalloc (2.2.4)

Plus two security patches for musl to fix CVE-2025-26519.

Also link mimalloc by default, so programs using the Static SDK for Linux
get a better memory allocator out of the box.

rdar://156423711

Author: al45tair

swift-ci/sdks/static-linux/resources/patches/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch

@@ -0,0 +1,38 @@
+>From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
+From: Rich Felker <[email protected]>
+Date: Sun, 9 Feb 2025 10:07:19 -0500
+Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
+
+as a result of incorrect bounds checking on the lead byte being
+decoded, certain invalid inputs which should produce an encoding
+error, such as "\xc8\x41", instead produced out-of-bounds loads from
+the ksc table.
+
+in a worst case, the loaded value may not be a valid unicode scalar
+value, in which case, if the output encoding was UTF-8, wctomb would
+return (size_t)-1, causing an overflow in the output pointer and
+remaining buffer size which could clobber memory outside of the output
+buffer.
+
+bug report was submitted in private by Nick Wellnhofer on account of
+potential security implications.
+---
+ src/locale/iconv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 9605c8e9..008c93f0 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 			if (c >= 93 || d >= 94) {
+ 				c += (0xa1-0x81);
+ 				d += 0xa1;
+-				if (c >= 93 || c>=0xc6-0x81 && d>0x52)
++				if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
+ 					goto ilseq;
+ 				if (d-'A'<26) d = d-'A';
+ 				else if (d-'a'<26) d = d-'a'+26;
+-- 
+2.21.0
+

swift-ci/sdks/static-linux/resources/patches/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch

@@ -0,0 +1,38 @@
+>From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
+From: Rich Felker <[email protected]>
+Date: Wed, 12 Feb 2025 17:06:30 -0500
+Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
+ bugs
+
+the UTF-8 output code was written assuming an invariant that iconv's
+decoders only emit valid Unicode Scalar Values which wctomb can encode
+successfully, thereby always returning a value between 1 and 4.
+
+if this invariant is not satisfied, wctomb returns (size_t)-1, and the
+subsequent adjustments to the output buffer pointer and remaining
+output byte count overflow, moving the output position backwards,
+potentially past the beginning of the buffer, without storing any
+bytes.
+---
+ src/locale/iconv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 008c93f0..52178950 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 				if (*outb < k) goto toobig;
+ 				memcpy(*out, tmp, k);
+ 			} else k = wctomb_utf8(*out, c);
++			/* This failure condition should be unreachable, but
++			 * is included to prevent decoder bugs from translating
++			 * into advancement outside the output buffer range. */
++			if (k>4) goto ilseq;
+ 			*out += k;
+ 			*outb -= k;
+ 			break;
+-- 
+2.21.0
+
+

swift-ci/sdks/static-linux/scripts/build.sh

@@ -97,7 +97,7 @@ function declare_package
 }
 
 declare_package static_linux_sdk \
-                "Swift statically linked SDK for Linux" \
+                "Swift Static SDK for Linux" \
                 "Apache-2.0" "https://swift.org/install/sdk"
 declare_package swift "swift" "Apache-2.0" "https://swift.org"
 declare_package musl "musl" "MIT" "https://musl.org"
@@ -109,9 +109,13 @@ declare_package curl "curl" "MIT" "https://curl.se"
 declare_package boringssl "boringssl" "OpenSSL AND ISC AND MIT" \
                 "https://boringssl.googlesource.com/boringssl/"
 declare_package zlib "zlib" "Zlib" "https://zlib.net"
+declare_package bzip2 "bzip2" "bzip2-1.0.6" "https://sourceware.org/bzip2/"
+declare_package xz "XZ Utils" "0BSD" "https://tukaani.org/xz"
+declare_package libarchive "libarchive" "BSD-2-Clause" "https://www.libarchive.org"
+declare_package mimalloc "mimalloc" "MIT" "https://microsoft.github.io/mimalloc/"
 
 # Parse command line arguments
-static_linux_sdk_version=0.0.1
+static_linux_sdk_version=0.1.0
 sdk_name=
 archs=x86_64,aarch64
 build_type=RelWithDebInfo
@@ -208,6 +212,15 @@ boringssl_version=$(describe ${source_dir}/boringssl)
 
 zlib_version=$(versionFromTag ${source_dir}/zlib)
 
+bzip2_desc=$(describe ${source_dir}/bzip2)
+bzip2_version=${bzip2_desc#bzip2-}
+
+libarchive_version=$(versionFromTag ${source_dir}/libarchive)
+
+mimalloc_version=$(versionFromTag ${source_dir}/mimalloc)
+
+xz_version=$(versionFromTag ${source_dir}/xz)
+
 function quiet_pushd {
     pushd "$1" >/dev/null 2>&1
 }
@@ -233,6 +246,10 @@ echo "  - libxml2 ${libxml2_version}"
 echo "  - curl ${curl_version}"
 echo "  - BoringSSL ${boringssl_version}"
 echo "  - zlib ${zlib_version}"
+echo "  - bzip2 ${bzip2_version}"
+echo "  - xz ${xz_version}"
+echo "  - libarchive ${libarchive_version}"
+echo "  - mimalloc ${mimalloc_version}"
 
 function run() {
     echo "$@"
@@ -268,6 +285,19 @@ else
     exit 1
 fi
 
+echo "Applying Musl security patches... "
+for patch in $(realpath "${resource_dir}/patches/musl")/*; do
+    echo -n "  $(basename $patch)..."
+    if git -C ${source_dir}/musl apply --reverse --check "$patch" >/dev/null 2>&1; then
+        echo "already patched"
+    elif git -C ${source_dir}/musl apply "$patch" >/dev/null 2>&1; then
+        echo "done"
+    else
+        echo "failed"
+        exit 1
+    fi
+done
+
 for arch in $archs; do
 
     # Fix architecture names
@@ -299,7 +329,7 @@ for arch in $archs; do
     cat > $sdk_root/SDKSettings.json <<EOF
 {
   "DisplayName": "Swift SDK for Statically Linked Linux ($arch)",
-  "Version": "0.0.1",
+  "Version": "${static_linux_sdk_version}",
   "VersionMap": {},
   "CanonicalName": "${arch}-swift-linux-musl"
 }
@@ -499,6 +529,37 @@ EOF
 
     # -----------------------------------------------------------------------
 
+    header "Building mimalloc for $arch"
+
+    run cmake -G Ninja -S ${source_dir}/mimalloc \
+        -B ${build_dir}/$arch/mimalloc \
+        -DCMAKE_TOOLCHAIN_FILE=${build_dir}/$arch/toolchain.cmake \
+        -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+        -DCMAKE_INSTALL_PREFIX="$sdk_root/usr" \
+        -DMI_LIBC_MUSL=ON \
+        -DMI_BUILD_SHARED=OFF \
+        -DMI_BUILD_STATIC=ON \
+        -DMI_BUILD_TESTS=OFF \
+        -DMI_INSTALL_TOPLEVEL=ON
+
+    quiet_pushd ${build_dir}/$arch/mimalloc
+    run ninja -j$parallel_jobs
+    quiet_popd
+
+    header "Installing mimalloc for ${arch}"
+
+    quiet_pushd ${build_dir}/$arch/mimalloc
+    run ninja -j$parallel_jobs install
+    quiet_popd
+
+    # Make sure we link mimalloc
+    ldflags="-lmimalloc $ldflags"
+    cxxldflags="-lmimalloc $cxxldflags"
+    sed -i -e 's/-lc++ /-lmimalloc -lc++ /g' \
+        ${build_dir}/${arch}/toolchain.cmake 
+
+    # -----------------------------------------------------------------------
+
     header "Building zlib for $arch"
 
     mkdir -p $build_dir/$arch/zlib
@@ -524,17 +585,67 @@ EOF
 
     # -----------------------------------------------------------------------
 
+    header "Building bzip2 for $arch"
+
+    rm -rf ${build_dir}/$arch/bzip2
+    cp -R ${source_dir}/bzip2 ${build_dir}/$arch/bzip2
+    quiet_pushd $build_dir/$arch/bzip2
+    run make \
+        CC="$cc" \
+        CXX="$cxx" \
+        LDFLAGS="$ldflags" \
+        CXXLDFLAGS="$cxxldflags" \
+        AS="$as" \
+        AR="ar" RANLIB="ranlib" \
+        PREFIX=$sdk_root/usr
+    quiet_popd
+
+    header "Installing bzip2 for $arch"
+
+    quiet_pushd $build_dir/$arch/bzip2
+    run make install \
+        CC="$cc" \
+        CXX="$cxx" \
+        LDFLAGS="$ldflags" \
+        CXXLDFLAGS="$cxxldflags" \
+        AS="$as" \
+        AR="ar" RANLIB="ranlib" \
+        PREFIX=$sdk_root/usr
+    quiet_popd
+
+    # -----------------------------------------------------------------------
+
+    header "Building xz for $arch"
+
+    run cmake -G Ninja -S ${source_dir}/xz -B ${build_dir}/$arch/xz \
+        -DCMAKE_TOOLCHAIN_FILE=${build_dir}/$arch/toolchain.cmake \
+        -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+        -DCMAKE_INSTALL_PREFIX=$sdk_root/usr \
+        -DBUILD_SHARED_LIBS=NO
+
+    quiet_pushd ${build_dir}/$arch/xz
+    run ninja -j$parallel_jobs
+    quiet_popd
+
+    header "Installing xz for $arch"
+
+    quiet_pushd ${build_dir}/$arch/xz
+    run ninja -j$parallel_jobs install
+    quiet_popd
+
+    # -----------------------------------------------------------------------
+
     header "Building libxml2 for $arch"
 
     run cmake -G Ninja -S ${source_dir}/libxml2 -B ${build_dir}/$arch/libxml2 \
           -DCMAKE_TOOLCHAIN_FILE=${build_dir}/$arch/toolchain.cmake \
-          -DCMAKE_EXTRA_LINK_FLAGS="-rtlib=compiler-rt -unwindlib=libunwind -stdlib=libc++ -fuse-ld=lld -lc++ -lc++abi" \
+          -DCMAKE_EXTRA_LINK_FLAGS="-rtlib=compiler-rt -unwindlib=libunwind -stdlib=libc++ -fuse-ld=lld -lmimalloc -lc++ -lc++abi" \
           -DCMAKE_BUILD_TYPE=RelWithDebInfo \
           -DCMAKE_INSTALL_PREFIX=$sdk_root/usr \
           -DBUILD_SHARED_LIBS=NO \
           -DLIBXML2_WITH_PYTHON=NO \
           -DLIBXML2_WITH_ICU=NO \
-          -DLIBXML2_WITH_LZMA=NO
+          -DLIBXML2_WITH_LZMA=YES
 
     quiet_pushd ${build_dir}/$arch/libxml2
     run ninja -j$parallel_jobs
@@ -548,6 +659,29 @@ EOF
 
     # -----------------------------------------------------------------------
 
+    header "Building libarchive for $arch"
+
+    run cmake -G Ninja -S ${source_dir}/libarchive \
+        -B ${build_dir}/$arch/libarchive \
+        -DCMAKE_TOOLCHAIN_FILE=${build_dir}/$arch/toolchain.cmake \
+        -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+        -DCMAKE_INSTALL_PREFIX=$sdk_root/usr \
+        -DCMAKE_INSTALL_LIBDIR=$sdk_root/usr/lib \
+        -DBUILD_SHARED_LIBS=NO \
+        -DENABLE_OPENSSL=NO
+
+    quiet_pushd ${build_dir}/$arch/libarchive
+    run ninja -j$parallel_jobs
+    quiet_popd
+
+    header "Installing libarchive for $arch"
+
+    quiet_pushd ${build_dir}/$arch/libarchive
+    run ninja -j$parallel_jobs install
+    quiet_popd
+
+    # -----------------------------------------------------------------------
+
     header "Building BoringSSL for $arch"
 
     run cmake -G Ninja -S ${source_dir}/boringssl -B ${build_dir}/$arch/boringssl \
@@ -576,7 +710,9 @@ EOF
         -DCMAKE_INSTALL_PREFIX=$sdk_root/usr \
         -DBUILD_SHARED_LIBS=NO \
         -DBUILD_STATIC_LIBS=YES \
-        -DBUILD_CURL_EXE=NO
+        -DBUILD_CURL_EXE=NO \
+        -DCURL_USE_PKGCONFIG=OFF \
+        -DCURL_USE_LIBPSL=OFF
 
     quiet_pushd ${build_dir}/$arch/curl
     ninja -j$parallel_jobs
@@ -619,6 +755,7 @@ EOF
 -stdlib=libc++
 -fuse-ld=lld
 -unwindlib=libunwind
+-lmimalloc
 -lc++abi
 -static
 EOF
@@ -750,7 +887,7 @@ header "Bundling SDK"
 
 spdx_uuid=$(uuidgen)
 spdx_doc_uuid=$(uuidgen)
-spdx_timestamp=$(date -Iseconds)
+spdx_timestamp=$(date -Iseconds -z Z | sed 's/\+00:00$/Z/g')
 
 sdk_name=swift-${swift_version}_static-linux-${static_linux_sdk_version}
 bundle="${sdk_name}.artifactbundle"
@@ -771,7 +908,7 @@ cat > info.json <<EOF
           "path": "$sdk_name/swift-linux-musl"
         }
       ],
-      "version": "0.0.1",
+      "version": "${static_linux_sdk_version}",
       "type": "swiftSDK"
     }
   }