A vulnerability has been identified in musl libc's implementation of iconv that can result in out-of-bounds memory writes in applications which process untrusted input using iconv and where the input charset for the conversion is input-controlled. In order for the vulnerability to be exposed, an application must call iconv_open with an output encoding of UTF-8 and and input encoding of EUC-KR, and must subsequently process untrusted input using the resulting conversion descriptor. The most common scenario in which this occurs is using the declared MIME charset of untrusted input (for example, in XML, HTML, or MIME-encoded email) as input to iconv_open for converting arbitrary-encoding input to UTF-8. This issue was discovered and reported by Nick Wellnhofer. It arose as a combination of incorrect input byte validation in the EUC-KR decoder, and the fact that the UTF-8 output encoder assumed an invariant that the input decoder never produces character codes which are not valid Unicode Scalar Values. Affected versions: The vulnerable code has been present since EUC-KR support was added to iconv in musl 0.9.13. All versions in the range 0.9.13 through 1.2.5 are affected. Future releases beginning with 1.2.6 will ship with the bug fixed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01ca451abdf7ec4899053d0fb355403f5809bd11 commit 01ca451abdf7ec4899053d0fb355403f5809bd11 Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2025-02-13 17:32:28 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2025-02-13 17:41:25 +0000 sys-libs/musl: fix for input-controlled out-of-bounds write in iconv Bug: https://bugs.gentoo.org/949712 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> .../musl/files/musl-iconv-out-of-bound-fix.patch | 76 ++++++++ sys-libs/musl/musl-1.2.5-r3.ebuild | 210 +++++++++++++++++++++ 2 files changed, 286 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d6f6351b58cc6ca60ea848c7c9032b2295b4691 commit 8d6f6351b58cc6ca60ea848c7c9032b2295b4691 Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2025-02-13 18:16:29 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2025-02-13 18:17:42 +0000 sys-libs/musl: fix for input-controlled out-of-bounds write in iconv Bug: https://bugs.gentoo.org/949712 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> sys-libs/musl/musl-1.2.4-r4.ebuild | 209 +++++++++++++++++++++++++++++++++++++ 1 file changed, 209 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be4e8aaa2c36362f633013083a2472c98827f02e commit be4e8aaa2c36362f633013083a2472c98827f02e Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2025-02-13 18:14:17 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2025-02-13 18:17:41 +0000 sys-libs/musl: fix for input-controlled out-of-bounds write in iconv Bug: https://bugs.gentoo.org/949712 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> sys-libs/musl/musl-1.2.3-r10.ebuild | 219 ++++++++++++++++++++++++++++++++++++ 1 file changed, 219 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4380541000126c34f2638239e42c8336a5a4074 commit e4380541000126c34f2638239e42c8336a5a4074 Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2025-02-15 16:53:41 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2025-02-15 17:35:41 +0000 sys-libs/musl: drop 1.2.3-r9, 1.2.4-r1, 1.2.4-r3, 1.2.5-r2 Bug: https://bugs.gentoo.org/949712 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> sys-libs/musl/musl-1.2.3-r9.ebuild | 218 ------------------------------------- sys-libs/musl/musl-1.2.4-r1.ebuild | 206 ----------------------------------- sys-libs/musl/musl-1.2.4-r3.ebuild | 208 ----------------------------------- sys-libs/musl/musl-1.2.5-r2.ebuild | 209 ----------------------------------- 4 files changed, 841 deletions(-)
