From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: "Daniel Brát" <danek.brat@gmail.com>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/musl: bump to version 1.2.6
Date: Tue, 14 Apr 2026 17:46:02 +0200 [thread overview]
Message-ID: <20260414154602.335683-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260330111505.3162298-1-danek.brat@gmail.com>
In reply of:
> This upstream relase includes fix for the CVE-2025-26519 and several other
> issues buildroot previously needed to apply its own patches for.
> Sha256 of the COPYRIGHT file has changed due to a contributor name change,
> licence remains otherwise the same.
>
> Signed-off-by: Daniel Brát <danek.brat@gmail.com>
Applied to 2025.02.x & 2026.02.x. Thanks
> ---
> ...ility-for-C-entry-point-function-_st.patch | 42 -------------------
> ...ous-input-validation-in-EUC-KR-decod.patch | 42 -------------------
> ...-8-output-code-path-against-input-de.patch | 41 ------------------
> package/musl/0006-m68k-fix-poll.patch | 26 ------------
> package/musl/musl.hash | 6 +--
> package/musl/musl.mk | 6 +--
> 6 files changed, 4 insertions(+), 159 deletions(-)
> delete mode 100644 package/musl/0003-use-hidden-visibility-for-C-entry-point-function-_st.patch
> delete mode 100644 package/musl/0004-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
> delete mode 100644 package/musl/0005-iconv-harden-UTF-8-output-code-path-against-input-de.patch
> delete mode 100644 package/musl/0006-m68k-fix-poll.patch
>
> diff --git a/package/musl/0003-use-hidden-visibility-for-C-entry-point-function-_st.patch b/package/musl/0003-use-hidden-visibility-for-C-entry-point-function-_st.patch
> deleted file mode 100644
> index 6359565cd7..0000000000
> --- a/package/musl/0003-use-hidden-visibility-for-C-entry-point-function-_st.patch
> +++ /dev/null
> @@ -1,42 +0,0 @@
> -From 9c78557af0a5e521cdb46a4ca7630f2987d2523e Mon Sep 17 00:00:00 2001
> -From: Rich Felker <dalias@aerifal.cx>
> -Date: Sat, 10 Aug 2024 19:49:24 -0400
> -Subject: [PATCH] use hidden visibility for C entry point function _start_c
> -
> -the file-level crt_arch.h asm fragments generally make direct
> -(non-PLT) calls from _start to _start_c, which is only valid when
> -there is a local, non-interposable definition for _start_c. generally,
> -the linker is expected to know that local definitions in a main
> -executable (as opposed to shared library) output are non-interposable,
> -making this work, but historically there have been linker bugs in this
> -area, and microblaze is reportedly still broken, flagging the
> -relocation for the call as a textrel.
> -
> -the equivalent _dlstart_c, called from the same crt_arch.h asm
> -fragments, has always used hidden visibility without problem, and
> -semantically it should be hidden, so make it hidden. this ensures the
> -direct call is always valid regardless of whether the linker properly
> -special-cases main executable output.
> -
> -Upstream: https://git.musl-libc.org/cgit/musl/commit/?id=9c78557af0a5e521cdb46a4ca7630f2987d2523e
> -Signed-off-by: J. Neuschäfer <j.neuschaefer@gmx.net>
> ----
> - crt/crt1.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/crt/crt1.c b/crt/crt1.c
> -index 8fe8ab5d..10601215 100644
> ---- a/crt/crt1.c
> -+++ b/crt/crt1.c
> -@@ -11,7 +11,7 @@ weak void _fini();
> - int __libc_start_main(int (*)(), int, char **,
> - void (*)(), void(*)(), void(*)());
> -
> --void _start_c(long *p)
> -+hidden void _start_c(long *p)
> - {
> - int argc = p[0];
> - char **argv = (void *)(p+1);
> ---
> -2.45.2
> -
> diff --git a/package/musl/0004-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch b/package/musl/0004-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
> deleted file mode 100644
> index a0418e1df8..0000000000
> --- a/package/musl/0004-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
> +++ /dev/null
> @@ -1,42 +0,0 @@
> -From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
> -From: Rich Felker <dalias@aerifal.cx>
> -Date: Sun, 9 Feb 2025 10:07:19 -0500
> -Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
> -
> -as a result of incorrect bounds checking on the lead byte being
> -decoded, certain invalid inputs which should produce an encoding
> -error, such as "\xc8\x41", instead produced out-of-bounds loads from
> -the ksc table.
> -
> -in a worst case, the loaded value may not be a valid unicode scalar
> -value, in which case, if the output encoding was UTF-8, wctomb would
> -return (size_t)-1, causing an overflow in the output pointer and
> -remaining buffer size which could clobber memory outside of the output
> -buffer.
> -
> -bug report was submitted in private by Nick Wellnhofer on account of
> -potential security implications.
> -
> -CVE: CVE-2025-26519
> -Upstream: https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659
> -Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ----
> - src/locale/iconv.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/locale/iconv.c b/src/locale/iconv.c
> -index 9605c8e9..008c93f0 100644
> ---- a/src/locale/iconv.c
> -+++ b/src/locale/iconv.c
> -@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
> - if (c >= 93 || d >= 94) {
> - c += (0xa1-0x81);
> - d += 0xa1;
> -- if (c >= 93 || c>=0xc6-0x81 && d>0x52)
> -+ if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
> - goto ilseq;
> - if (d-'A'<26) d = d-'A';
> - else if (d-'a'<26) d = d-'a'+26;
> ---
> -2.39.5
> -
> diff --git a/package/musl/0005-iconv-harden-UTF-8-output-code-path-against-input-de.patch b/package/musl/0005-iconv-harden-UTF-8-output-code-path-against-input-de.patch
> deleted file mode 100644
> index 8250790d4f..0000000000
> --- a/package/musl/0005-iconv-harden-UTF-8-output-code-path-against-input-de.patch
> +++ /dev/null
> @@ -1,41 +0,0 @@
> -From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
> -From: Rich Felker <dalias@aerifal.cx>
> -Date: Wed, 12 Feb 2025 17:06:30 -0500
> -Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
> - bugs
> -
> -the UTF-8 output code was written assuming an invariant that iconv's
> -decoders only emit valid Unicode Scalar Values which wctomb can encode
> -successfully, thereby always returning a value between 1 and 4.
> -
> -if this invariant is not satisfied, wctomb returns (size_t)-1, and the
> -subsequent adjustments to the output buffer pointer and remaining
> -output byte count overflow, moving the output position backwards,
> -potentially past the beginning of the buffer, without storing any
> -bytes.
> -
> -CVE: CVE-2025-26519
> -Upstream: https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da
> -Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ----
> - src/locale/iconv.c | 4 ++++
> - 1 file changed, 4 insertions(+)
> -
> -diff --git a/src/locale/iconv.c b/src/locale/iconv.c
> -index 008c93f0..52178950 100644
> ---- a/src/locale/iconv.c
> -+++ b/src/locale/iconv.c
> -@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
> - if (*outb < k) goto toobig;
> - memcpy(*out, tmp, k);
> - } else k = wctomb_utf8(*out, c);
> -+ /* This failure condition should be unreachable, but
> -+ * is included to prevent decoder bugs from translating
> -+ * into advancement outside the output buffer range. */
> -+ if (k>4) goto ilseq;
> - *out += k;
> - *outb -= k;
> - break;
> ---
> -2.39.5
> -
> diff --git a/package/musl/0006-m68k-fix-poll.patch b/package/musl/0006-m68k-fix-poll.patch
> deleted file mode 100644
> index cafee534e4..0000000000
> --- a/package/musl/0006-m68k-fix-poll.patch
> +++ /dev/null
> @@ -1,26 +0,0 @@
> -From b09e3174a695d1db60b2abc442d29ed3f87f0358 Mon Sep 17 00:00:00 2001
> -From: Baruch Siach <baruch@tkos.co.il>
> -Date: Wed, 7 Aug 2024 08:51:03 +0300
> -Subject: m68k: fix POLLWRNORM and POLLWRBAND
> -
> -As noted in commit f5011c62c3 ("fix POLLWRNORM and POLLWRBAND on mips")
> -m68k uses a different definition.
> -
> -Signed-off-by: Daniel Palmer <daniel@0x0f.com>
> -Upstream: https://git.musl-libc.org/cgit/musl/commit/?id=b09e3174a695d1db60b2abc442d29ed3f87f0358
> ----
> - arch/m68k/bits/poll.h | 2 ++
> - 1 file changed, 2 insertions(+)
> - create mode 100644 arch/m68k/bits/poll.h
> -
> -diff --git a/arch/m68k/bits/poll.h b/arch/m68k/bits/poll.h
> -new file mode 100644
> -index 00000000..00063f41
> ---- /dev/null
> -+++ b/arch/m68k/bits/poll.h
> -@@ -0,0 +1,2 @@
> -+#define POLLWRNORM POLLOUT
> -+#define POLLWRBAND 256
> ---
> -cgit v1.2.1
> -
> diff --git a/package/musl/musl.hash b/package/musl/musl.hash
> index b105320bac..e3cc652f5b 100644
> --- a/package/musl/musl.hash
> +++ b/package/musl/musl.hash
> @@ -1,4 +1,4 @@
> # Locally calculated after checking pgp signature from
> -# http://musl.libc.org/releases/musl-1.2.5.tar.gz.asc
> -sha256 a9a118bbe84d8764da0ea0d28b3ab3fae8477fc7e4085d90102b8596fc7c75e4 musl-1.2.5.tar.gz
> -sha256 f9bc4423732350eb0b3f7ed7e91d530298476f8fec0c6c427a1c04ade22655af COPYRIGHT
> +# http://musl.libc.org/releases/musl-1.2.6.tar.gz.asc
> +sha256 d585fd3b613c66151fc3249e8ed44f77020cb5e6c1e635a616d3f9f82460512a musl-1.2.6.tar.gz
> +sha256 b870108ec5e7790e9f9919064f1b9421d62d5f9b0e6c230c6adf7ea2da62e97b COPYRIGHT
> diff --git a/package/musl/musl.mk b/package/musl/musl.mk
> index 13a49a15eb..bea9029455 100644
> --- a/package/musl/musl.mk
> +++ b/package/musl/musl.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -MUSL_VERSION = 1.2.5
> +MUSL_VERSION = 1.2.6
> MUSL_SITE = http://musl.libc.org/releases
> MUSL_LICENSE = MIT
> MUSL_LICENSE_FILES = COPYRIGHT
> @@ -26,10 +26,6 @@ MUSL_ADD_TOOLCHAIN_DEPENDENCY = NO
>
> MUSL_INSTALL_STAGING = YES
>
> -# 0004-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
> -# 0005-iconv-harden-UTF-8-output-code-path-against-input-de.patch
> -MUSL_IGNORE_CVES += CVE-2025-26519
> -
> # musl does not build with LTO, so explicitly disable it
> # when using a compiler that may have support for LTO
> ifeq ($(BR2_TOOLCHAIN_GCC_AT_LEAST_4_7),y)
> --
> 2.39.5
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2026-04-14 15:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 11:15 [Buildroot] [PATCH 1/1] package/musl: bump to version 1.2.6 Daniel Brát
2026-03-30 20:40 ` Julien Olivain via buildroot
2026-04-14 15:46 ` Thomas Perale via buildroot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260414154602.335683-1-thomas.perale@mind.be \
--to=buildroot@buildroot.org \
--cc=danek.brat@gmail.com \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox