Update musl-wrapper version to 1.2.5 and apply CVE patch (#627)

2026-03-18 12:54:52 +08:00 · 2025-03-13 11:11:58 +08:00 · 2025-03-13 11:11:58 +08:00 · d643051759
commit d643051759
parent 58eafe5100
4 changed files with 82 additions and 1 deletions
--- a/src/SPC/doctor/item/LinuxMuslCheck.php
+++ b/src/SPC/doctor/item/LinuxMuslCheck.php
@ -15,6 +15,7 @@ use SPC\exception\WrongUsageException;
 use SPC\store\Downloader;
 use SPC\store\FileSystem;
 use SPC\store\PackageManager;
 use SPC\store\SourcePatcher;
 class LinuxMuslCheck
 {
@ -63,7 +64,7 @@ class LinuxMuslCheck
                logger()->warning('Current user is not root, using sudo for running command');
            }
            // The hardcoded version here is to be consistent with the version compiled by `musl-cross-toolchain`.
-            $musl_version_name = 'musl-1.2.4';
+            $musl_version_name = 'musl-1.2.5';
            $musl_source = [
                'type' => 'url',
                'url' => "https://musl.libc.org/releases/{$musl_version_name}.tar.gz",
@ -71,6 +72,10 @@ class LinuxMuslCheck
            logger()->info('Downloading ' . $musl_source['url']);
            Downloader::downloadSource($musl_version_name, $musl_source);
            FileSystem::extractSource($musl_version_name, DOWNLOAD_PATH . "/{$musl_version_name}.tar.gz");
            // Apply CVE-2025-26519 patch
            SourcePatcher::patchFile('musl-1.2.5_CVE-2025-26519_0001.patch', SOURCE_PATH . "/{$musl_version_name}");
            SourcePatcher::patchFile('musl-1.2.5_CVE-2025-26519_0002.patch', SOURCE_PATH . "/{$musl_version_name}");
            logger()->info('Installing musl wrapper');
            shell()->cd(SOURCE_PATH . "/{$musl_version_name}")
                ->exec('CC=gcc CXX=g++ AR=ar LD=ld ./configure --disable-gcc-wrapper')
@ -98,6 +103,7 @@ class LinuxMuslCheck
                logger()->warning('Current user is not root, using sudo for running command');
            }
            $arch = arch2gnu(php_uname('m'));
            logger()->info("Downloading package musl-toolchain-{$arch}-linux");
            PackageManager::installPackage("musl-toolchain-{$arch}-linux");
            $pkg_root = PKG_ROOT_PATH . "/musl-toolchain-{$arch}-linux";
            shell()->exec("{$prefix}cp -rf {$pkg_root}/* /usr/local/musl");
--- a/src/globals/patch/musl-1.2.5_CVE-2025-26519_0001.patch
+++ b/src/globals/patch/musl-1.2.5_CVE-2025-26519_0001.patch
@ -0,0 +1,37 @@
 >From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
 From: Rich Felker <dalias@aerifal.cx>
 Date: Sun, 9 Feb 2025 10:07:19 -0500
 Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
 as a result of incorrect bounds checking on the lead byte being
 decoded, certain invalid inputs which should produce an encoding
 error, such as "\xc8\x41", instead produced out-of-bounds loads from
 the ksc table.
 in a worst case, the loaded value may not be a valid unicode scalar
 value, in which case, if the output encoding was UTF-8, wctomb would
 return (size_t)-1, causing an overflow in the output pointer and
 remaining buffer size which could clobber memory outside of the output
 buffer.
 bug report was submitted in private by Nick Wellnhofer on account of
 potential security implications.
 ---
 src/locale/iconv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/locale/iconv.c b/src/locale/iconv.c
 index 9605c8e9..008c93f0 100644
 --- a/src/locale/iconv.c
 +++ b/src/locale/iconv.c
@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
 			if (c >= 93 || d >= 94) {
 				c += (0xa1-0x81);
 				d += 0xa1;
 -				if (c >= 93 || c>=0xc6-0x81 && d>0x52)
 +				if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
 					goto ilseq;
 				if (d-'A'<26) d = d-'A';
 				else if (d-'a'<26) d = d-'a'+26;
 --
 2.21.0
--- a/src/globals/patch/musl-1.2.5_CVE-2025-26519_0002.patch
+++ b/src/globals/patch/musl-1.2.5_CVE-2025-26519_0002.patch
@ -0,0 +1,36 @@
 >From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
 From: Rich Felker <dalias@aerifal.cx>
 Date: Wed, 12 Feb 2025 17:06:30 -0500
 Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
 bugs
 the UTF-8 output code was written assuming an invariant that iconv's
 decoders only emit valid Unicode Scalar Values which wctomb can encode
 successfully, thereby always returning a value between 1 and 4.
 if this invariant is not satisfied, wctomb returns (size_t)-1, and the
 subsequent adjustments to the output buffer pointer and remaining
 output byte count overflow, moving the output position backwards,
 potentially past the beginning of the buffer, without storing any
 bytes.
 ---
 src/locale/iconv.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/src/locale/iconv.c b/src/locale/iconv.c
 index 008c93f0..52178950 100644
 --- a/src/locale/iconv.c
 +++ b/src/locale/iconv.c
@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
 				if (*outb < k) goto toobig;
 				memcpy(*out, tmp, k);
 			} else k = wctomb_utf8(*out, c);
 +			/* This failure condition should be unreachable, but
 +			 * is included to prevent decoder bugs from translating
 +			 * into advancement outside the output buffer range. */
 +			if (k>4) goto ilseq;
 			*out += k;
 			*outb -= k;
 			break;
 --
 2.21.0
--- a/src/globals/test-extensions.php
+++ b/src/globals/test-extensions.php
@ -13,6 +13,8 @@ declare(strict_types=1);
 // test php version
 $test_php_version = [
    '8.1',
    '8.2',
    '8.3',
    '8.4',
 ];