{"id":2225389,"url":"http://patchwork.ozlabs.org/api/patches/2225389/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/patch/20260420220839.1232620-2-fiona.klute@gmx.de/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260420220839.1232620-2-fiona.klute@gmx.de>","list_archive_url":null,"date":"2026-04-20T22:08:38","name":"[1/2] package/musl: add upstream security patch for CVE-2026-6042","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"ad65a7fd3776a42534dea8497f88f9bfb5d55db0","submitter":{"id":88431,"url":"http://patchwork.ozlabs.org/api/people/88431/?format=json","name":"Fiona Klute","email":"fiona.klute@gmx.de"},"delegate":{"id":89618,"url":"http://patchwork.ozlabs.org/api/users/89618/?format=json","username":"juju","first_name":"Julien","last_name":"Olivain","email":"juju@cotds.org"},"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260420220839.1232620-2-fiona.klute@gmx.de/mbox/","series":[{"id":500694,"url":"http://patchwork.ozlabs.org/api/series/500694/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=500694","date":"2026-04-20T22:08:37","name":"Add upstream security patches for musl 1.2.6","version":1,"mbox":"http://patchwork.ozlabs.org/series/500694/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2225389/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2225389/checks/","tags":{},"related":[],"headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=pehjt3hy;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g004y69yyz1yCv\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Tue, 21 Apr 2026 08:09:06 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id EE6E961017;\n\tMon, 20 Apr 2026 22:09:03 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id LpIJsnTQEQ1g; Mon, 20 Apr 2026 22:09:03 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id D1818610F4;\n\tMon, 20 Apr 2026 22:09:02 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n by lists1.osuosl.org (Postfix) with ESMTP id DD2D1259\n for <buildroot@buildroot.org>; Mon, 20 Apr 2026 22:08:59 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id CF06341110\n for <buildroot@buildroot.org>; Mon, 20 Apr 2026 22:08:59 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 3tQpcNLD6Z2H for <buildroot@buildroot.org>;\n Mon, 20 Apr 2026 22:08:59 +0000 (UTC)","from mout.gmx.net (mout.gmx.net [212.227.15.19])\n by smtp4.osuosl.org (Postfix) with ESMTPS id 3F90841104\n for <buildroot@buildroot.org>; Mon, 20 Apr 2026 22:08:57 +0000 (UTC)","from client.hidden.invalid by mail.gmx.net (mrgmx005\n [212.227.17.190]) with ESMTPSA (Nemesis) id 1M4JmN-1wFDmN1Xph-00Apgg; Tue, 21\n Apr 2026 00:08:50 +0200"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org D1818610F4","OpenDKIM Filter v2.11.0 smtp4.osuosl.org 3F90841104"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776722942;\n\tbh=K8Y5QzmDMJNEo3HRv9D5TgUdjmHAxBxxDO0S9vPKaKM=;\n\th=To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=pehjt3hyyIYV2FThGCXKsSw2jOst1qs7JxwEhjIbaQ4R+aFYoeoE8PKSFgfBN2LTg\n\t RKVtWS2dhzUw58JelD8IxPl3pIfFfbf5G9aCVIJzlj45JB/HcJOx0ZQ9lIDacDIdIr\n\t ChApz4lrk4Uojo/osuK2OQlLjRnAS/62qduqqE3YDNcEfJ38QhQuV5wn2/P+daBryp\n\t vS/YyUvOas8Q8l6wPsSV26ffQiJjrQXaSXjA0bf9vBkqoDOf8p1FM9+iy3wGW8Mh1D\n\t SV5JmR9CHi/gQyzKUfWMta816KXocuU50LBdDWCHNEYLRw9KXKG2tURQO36pqYhUK3\n\t Mhlj/IzzBqznw==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=212.227.15.19;\n helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org 3F90841104","X-UI-Sender-Class":"724b4f7f-cbec-4199-ad4e-598c01a50d3a","To":"buildroot@buildroot.org","Cc":"Thomas Petazzoni <thomas.petazzoni@bootlin.com>,\n Marcus Hoffmann <buildroot@bubu1.eu>, Fiona Klute <fiona.klute@gmx.de>","Date":"Tue, 21 Apr 2026 00:08:38 +0200","Message-ID":"<20260420220839.1232620-2-fiona.klute@gmx.de>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260420220839.1232620-1-fiona.klute@gmx.de>","References":"<20260420220839.1232620-1-fiona.klute@gmx.de>","MIME-Version":"1.0","X-Provags-ID":"V03:K1:N6VksApCPXvpzEL3N4vpwf1XoNRCZZO55VP9NHYtjELNG2VgHuO\n MDXv0p/P8ioy5kvUTrNb31FL9IWZIkiGq0MmNPTw0XGOUDHbXnRe2oP3tZ8RmgOPEvdrUnq\n vD5lli6rykGYTiCWtCOg0osY2KgYHlR9XUhm07VUtxMiQxkduebcGilk8UwBoxvHStVzx7T\n o6HU2Ihlqba1unF6X3J7A==","UI-OutboundReport":"notjunk:1;M01:P0:9EivL49IBh4=;b/p5U4UP/I2keOT9O7ncGBjjRG4\n 6fs0RCOhIbgarliQuAXhE6o8RxnrRJmMk6MUXAagkZ3vveFYYVIT/uE8p0UpkyDTF1RUTFvat\n 0RAUwqGMQX8rRX+POcVp9xURb4L0PnO0TlFuTrR4iq7YqqbAFCUlCxHS25fZ7eB8h/S0g4anZ\n +dyGHJ8Lxol+VBFfxy0745ui5E9fITGML5Mpc8avmnEczuAlvAgUhsg3mYDVLD+hnXYZUyAfU\n FIN06VBCq1LgviBhxmD9k4bJx93WpDFiAqx7plNsxOF+dMyPB5vMdeX9Digd5ZRVDVRJ6Uflb\n L7jDabnXDlQbPiFp++K2Ixo0LEQb1e3Sp2OC2RMfYDWpHwIlapuGzFwZXGDmZaXbsqVHiKza0\n bafnt2davfTMUqVMX242rRQGrnNCMk+QjJWDKRdUvjKAldrbV4VfR7UA4GUbqOIVaDMRhIiL2\n ysFf+oLdu+QsgmLM8U3BBXmPQsbHcijMrx/6Z64T9TL0u0TGgvYYfmn9sVqdDt5/mkVqgMP1q\n Q6KoEnBwMeGeQnNx/Cey1SNj/fT07cvBekwFOPZpOVpWgtW3A2EG1q4AFMD4xZ1H88YQcjiQw\n 3deM7Po9qM7w2Tbys8hCvhC5CUYwYSGfvPQPEp77Tezidxp6xBZL0OOZPNj9M+Wq2g8fHHW4+\n 2oe3EUArtABRcOLc0FgB4Qoc/X+86wexIEDCnBNjL7E0XN/IsxDWVZ5UkAJbQ45wS6AP9uzni\n 9wPqn9J5Xk+r1oCfgdrPffE0LPzTxOtrzY/hpWDUg1WYjDJHVGY0DVoVXjZv343fwPfDVkFIp\n zglNWXSb9ocrk//HTNWYkuJim+k3Q3hLQW8uCEYKCRw8LvMNtZFnPhDLqx5rlVLlW1eFRpjBw\n GK+Vfv4m0CjqIbxneuqrTu0lEnVXkLvcxhLyIyd7BVHxFsWK+/jqiZXesJy8ODjiyjHaYWiZ2\n AaoLQQGYUuUGXmWFLQ0RJSqabNdKE7dS0qLkyZ93dsDlsYt7wG/tjkxOSkij9iN9IJ4+DDqRI\n pEhSCwNl8P5uEgpHak7fulmJrQ2haoSoHwpqIYgCvK+yPawl8lPBv/R1XTbgFUbn32O6IcBVY\n INGgPixshMToyZLzj1i/VFllsgDPd7o4JlT0/cdnUNaxzMN9BOORBV75TdvYN9pmuWY9WLRWy\n Q+JXgx9fkLOU/E3gqxTyqBlzr6Aps6JPoXGPcX4x6m6eFxHSx1gbQH4DXKhEQuR/3MACUMHNy\n FH/XU6bdopLZ1SMOa3dEJ1munWGR4SYDw3nygv/yvkeqhEYwAtImiKkh+9gsszwHXqUhKPsTK\n 9PVXrhjC+PtGJ88j/UVFbSOUwd6OOAUx5Kn+B1+p7XcFYEmjlkTRjzx2BoSXhjKwDhDohqAVD\n 7PTxk12hvpNVZ4Gzn6WuZUqsBAx7QmLsRox99eNtwGrejCMvV+xcbbnWigiyHGOcAmRRFFKRB\n HPjWMpkPp7nT7TqoqfwBFv5vFCVarbH+ragGlpimuHac9LBw+zanjQkKH/R/8O4rVlYACHooG\n +tGTCkyNBsh0AZELf7EIGFlpZsqnURtJRiNG+1QhVWd+xFq8NpyqWguqEZKnBvfFSpD0Is3kQ\n tAytmEZ+fDJ6OO/W41k170DnIczeD05u9uMOHBhzCm4PBBHgPwvouKBhincQe9A1rGzfeavAU\n sqZ6GAATyyI1ZDLubuGEGpcC0P1iTFhi8d5kruvevplWqknifhy8guMQbRkXKEhgV/x9KfW0r\n R0G1fTS+DeQQAokOE/Lk0a21F0EH2BcD8AYJm5lBVunf54atvZqzfM3g3PTMsZHpKJoKbr2fa\n oFa8J/WzopLMrOC3dwr7q2pRIwuibt0ZllMizU3J1GGrvOD4Haz7iR5s//1NlkDC3q+q+cleX\n NF99wRRIyytdh3DszvYIIk7kZ9h+cZg5+l1iY7wwKV4Vz9X61UNgIJMYEBpzHtOuqyp0UV3p9\n 0/qywmud07XmjPkOiqeoz2fywVsiyd6d/dbs+rtqOfdLLbWbC7lJsbimR1jcKC7boE7KAOpwG\n RrGW+71Fvolxr7LgqWs+jQerzXHuFeisrs5tJnCJcXzRmZYDEAXXuhCBpOQN1E06nwC8B/4xa\n rq9LGAbDhheUy5yQPzv9AtPnMziyzSZuj+0uRar34OFK63/4YOLHKwS6qzI0VeyrAu80uUClT\n Uu0f9lH0g5sdBlQH77T+8ppd9fA5pL5w6Vuz4C9OIfrdlxIAoxg390+vwnbVD4TGeTbuDCZ3n\n +kHBREPxBpYoXReDBPbaVvydo4a3PUHrAAuO1sFub0SCH+udQ+yAYb6cJWtB9+VgK1Z8T0dp3\n +XDY9lw0Y7eTBqaWvAOpJwqS8BO1oie+r4BLQPGx3N9cGHzETXZ2aJp2yWp/V02RNifWUIYte\n Avx1tu1Y9vfOpP2uKnbcNfSR/aLO5twEp6WvEVJaA05WX6Pkf0N2mYImpSJhX1ySIVDABRZ2G\n Qv55WVTgKaZ82i1AuWbNbsHFLgIIW8RsW8J64VATlbK7RaFMayfw16onj76xM//Hm54TtdvfA\n ORWlXFEPEmogFbt8apTSF7DgHc+GNs1hoGf7AF+2fONExK260OEbxpyyO5oxKh7KO50w0X16L\n smvDbt6RvAR+VjWCVmO6B1cwrWP1yqSmS0JuCKh2o+AwGOxOx2QhpEAE+XW/jKXmm34BmqYNF\n IuUMo9G4Jt9IBrkLwKPcsB/Vsy2Xncnsh8n1Wg8xjUEm9vRzZ5LGUdB/inSMsgVowRxyp/go0\n M0LnQBKURFqeqAxi/BizCU97VRupLQ5PDUTmavrIRPJG3y//q7l876nOyD9qseDs694TYgUE8\n R0onFZ1bmcfV7RIqHtJjFM64skfSM4u8fO1rxpnOawIZNXM67paZn/PSUFRsAVJ1kZoNpKDRb\n V8LhcfIHATOFLr4WKizZFWeP/BrbZ4Pxy3QArfPK8m2loesLozA3Vl3l2XvzOU/WXeb8Sf/7O\n hwCwN4RPkpZVi209lFjUH+M/ZHFU+31DSKzY2nqnVTLn36i/xtCNM6oiwFFppeAJExkyWXIDz\n Og/1rbpPOi2lFfwUlOLuk2iPfXK4UskyTa0b7QJ793qoEIyuKcbUfSHUe/MQ5FwbfBPRjO50h\n Vi7RNYFpx+FLQTxpYHw4Ze6MCptWew+x/IK+H8BJjjgbfgQq6toNk+TtOjiRFDmXCMRVy+PtB\n RZZoalufBDDbwXBCNFz8UIUP7O7/X01Njj6+m4FAny+kj9QcOxVQU+XJ3XDbHRbmdzz3em/mp\n 27aXKpMq/oeB7ZycsXf4m4tboNkevcu0+dM4SDZEoMc+fH/GJshZIrG7sSJmHZTVU4/ZnzC3K\n ALQOdUKiJSBTWX4mCRoeMdSqiwjPjTsWiSNjeRnIBXGjhAkAcUAObBzzBhp6rqQKsFNcvOCpG\n sUpF9LFaH1xnyhmxOFyRUAO0QGhx4iDpBZZapvp4tVNn0XIEr+4mxE4Xbw8QE2EoJu4dLIsAF\n eRyQ1VtYaXegqBCoDsnDoHPrpZs/lLG7s1i6v688PfMtiykGO8pDb6hWH7rHu8x9lMwHG6Cca\n wbNy7cmCg2z43nCsBn5/vxmupjIFg702oNKIQ4ABJaz4ZO+gzzcZhaoCouf67eooiSyJsXIWw\n 05gHk70lDV6FyJEsV9ksifbr8TH5wswujwMQSLFGjbS2LJFPXtDB1GLa0g0bWQ8+Sn/Guo9X5\n jJyZp5ZS1WkZPySv74ydBX+UfthW/8QWQqMz0sgVMaKAh5W/+f8R2kOQ7FPbZWjgI88eu8Yul\n komRilOnDetINXRbOxo6sMMbt9IVnID3+UC99Ak2rqeQy0p9r0gK9whywbNNddp1W/B3X3qUc\n LN09Y24CTcImpVJ1P5nK7TQNaavoBv9x3eFzXoEq9L1AAnV8pYChVs5k+kGiRN+RMznDW5QlJ\n n8Sl1kK8LT7hZzWYSkM7vPzRxeaNxxJD9oEAXwJ5aU1ttM/WHc/xlgPgcIoCxaautzZwKql4g\n J9RSFBPXyEgd0X5gg4237CkeYpbPdAd1zOOb/5W6u9LS5PQbqGkS+BB9Zk3QGq060OISqMo4e\n LbEx2opwLZNS/R+N+Cr+ameEjkLAUalZ75s9C3VC/JYfjvCwaF7iLqc1PSThe3lbmuA/QPInF\n 6sqhfjQVirMIgP6GcdmFAkRS7qH5jY6iiiK3UFFzR8GdDRX/2rh7fS7WMo4Ec1Qpm+DHb+mAe\n 572sRgDBP2ejNv2qit2/bHvY+qkCqjHHeqNVEniTOv2YMF/iA057mK/ehpb524+ZR3UfTjUvW\n mXrXfauDnCs795qH5Fld+r+qvKl2TlYCEqMi9Xh2JPyK4Xmo3Vxmr8My4OR9k+7Ei9Njd+h0L\n PLRl3mcLUzW7f1vPVT9cMJR5PRYTa6nyXtNnpmHT0v9zpTw+bosqSvXt6bXaA/LH4pns1HyyF\n 09MBS9pKh/6nHnaxGhB/bcHFvitk9bjl+FMV32HMgHHwF+J1E2HfHfu0/1mEMCsEADgPG5nxu\n im9plJJhCdv/A1GeWff+LzzCxdXjYf1fXVd04aTSGkWQyUiMmeKQpBFJ66a6ynRuny0a/+E0/\n HzFAzH+Qu9pcPKMbCkQj7yLCSiCBkhsjfzaOH2xhN6F/DJ/Q6VEy+nA8RYXYYcjR/lMHtVCds\n L1/Q/AHbZxVuy3Udz1il2gUbJ5UxdBH33JQPhKfNhP5PLA66k2OGdyNyKTLzO6WXgrRJyMZa3\n qB+R7Ppee8l0gJJdcIGEp1d9WZzvtZn4Wn3f+6kWhvnud+8Ounj7jrQlWASkBtypkpQa3kdE/\n INvEIQBfdQ/+ukEU8e0fgERxv3w0DQNhv4JyRZLQrH+fGNfEe7IaftyJ4Ve/jQW0AN/Ubt5eH\n bJiVrdmdJyqgPYZ/SLKyTJPDq5jmaUTbiex5ap2nN25Ijlc3Q2HmSeMfMwNyUf4jX+uzChYEA\n KRYabXKrmDp1Q2YRFVTt8jw6DQ7iX+/vFx75DkoGKkHwZV0AqpbRvXgV8wsQNePpyNIcZJMB0\n OSI9tQDmA5Kb9qkNCpk6BBVjIXJ0j9CAUaC6WDOIum1IQzCTtkCT450Vx4gi7yW7Nz1a6cPXQ\n g509hBEpThCeS5oAboP8HSS/q1HIroae5pSJAs1fIqUzlu/1ctHAh+Cyx0k2NiVKefz85t7Aa\n HNzMzZ5FN5VsR2v+N2/xZcBXUYEmLKGNZv8G0liw/KkxnKEIbb26Uw7GL/tkOoHv8lVAJXkGg\n B0XcpLdnX0kRLZkbDgwggxCnTLNlImYrz4K6IfqFOfKvtZ/wTB7FSJ4Xh+bfNjfURA99HICGF\n 1GPQMwFNgdgbO83KpiYrSKETjzxKkzbvpK/4MfsltQHOtGgI3BUXVqa2Z45Vt6bRm1ngxn7AE\n U5Hs/k8abBqghND7zJSaZggVJvlbKPKBVuGzwcvf1/NFK8vmdBH0Aa37VrGVcc7BAyqhv1Jjs\n bACSnTNh//Vt2dRh4s7mmgCS+pzPWfVubrDbLipeRTOs+/HXXI3XkXswSQVWrCJ07A869GYOL\n hNVzX1Rg00Nk+o6ABPPsA2RiWkh5KYV/PoWepDOl1U2FZ096qDVP4hFnEaNLtcHPK0ZFZJ1sf\n By38DA==","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmx.de;\n s=s31663417; t=1776722930; x=1777327730; i=fiona.klute@gmx.de;\n bh=/f1DSmyV7y3CCB/ih05dUSIqofm7ItwMxG7BbBG0s2U=;\n h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To:\n References:MIME-Version:Content-Transfer-Encoding:cc:\n content-transfer-encoding:content-type:date:from:message-id:\n mime-version:reply-to:subject:to;\n b=MY8BLM+FWEx57FAs9eMkkrU6VHTUqQ+vAR1pZ17nSUDk5gNcY1ebOaxSi2E42pJ7\n H3o6DR4IGBsn9qiGxDTfSINxQICKrGMfFp8CudCiFTL/jcmvE/OvT66WmMcl1wSyK\n ux7f15AJ6y0fRo4UZ2cPgjpOS51QIBlZaBmgUOPxtAtRjLZR5BLnKig4MpwPG5Kvy\n pPK6bLWphfZLLwnzJJrxfEcO561t1NJP4UF7YyPtVlsptqfcjWxWoCHCAyGDeNNV0\n I93X+finQdDyKmob4ErhIKmy+WYQM0EYewQNR9731sI6M82Uj1OgzWEL7KHVZruYE\n 27hoBFCiZ1+n/LQ8zg==","X-Mailman-Original-Authentication-Results":["smtp4.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=gmx.de","smtp4.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256\n header.s=s31663417 header.b=MY8BLM+F"],"Subject":"[Buildroot] [PATCH 1/2] package/musl: add upstream security patch\n for CVE-2026-6042","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","From":"Fiona Klute via buildroot <buildroot@buildroot.org>","Reply-To":"Fiona Klute <fiona.klute@gmx.de>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"},"content":"Fixes CVE-2026-6042: musl libc: Algorithmic complexity DoS in iconv\nGB18030 decoder\nhttps://www.openwall.com/lists/oss-security/2026/04/09/19\n\nFixes: https://nvd.nist.gov/vuln/detail/CVE-2026-6042\n\nSigned-off-by: Fiona Klute <fiona.klute@gmx.de>\n---\n ...-slowness-incorrect-mappings-in-icon.patch | 324 ++++++++++++++++++\n package/musl/musl.mk                          |   3 +\n 2 files changed, 327 insertions(+)\n create mode 100644 package/musl/0003-fix-pathological-slowness-incorrect-mappings-in-icon.patch","diff":"diff --git a/package/musl/0003-fix-pathological-slowness-incorrect-mappings-in-icon.patch b/package/musl/0003-fix-pathological-slowness-incorrect-mappings-in-icon.patch\nnew file mode 100644\nindex 0000000000..5cbc8144d9\n--- /dev/null\n+++ b/package/musl/0003-fix-pathological-slowness-incorrect-mappings-in-icon.patch\n@@ -0,0 +1,324 @@\n+From 67219f0130ec7c876ac0b299046460fad31caabf Mon Sep 17 00:00:00 2001\n+From: Rich Felker <dalias@aerifal.cx>\n+Date: Mon, 30 Mar 2026 16:00:50 -0400\n+Subject: [PATCH] fix pathological slowness & incorrect mappings in iconv\n+ gb18030 decoder\n+\n+in order to implement the \"UTF\" aspect of gb18030 (ability to\n+represent arbitrary unicode characters not present in the 2-byte\n+mapping), we have to apply the index obtained from the encoded 4-byte\n+sequence into the set of unmapped characters. this was done by\n+scanning repeatedly over the table of mapped characters and counting\n+off mapped characters below a running index by which to adjust the\n+running index by on each iteration. this iterative process eventually\n+leaves us with the value of the Nth unmapped character replacing the\n+index, but depending on which particular character that is, the number\n+of iterations needed to find it can be in the tens of thousands, and\n+each iteration traverses the whole 126x190 table in the inner loop.\n+this can lead to run times exceeding an entire second per character on\n+moderate-speed machines.\n+\n+on top of that, the transformation logic produced wrong results for\n+BMP characters above the the surrogate range, as a result of not\n+correctly accounting for it being excluded, and for characters outside\n+the BMP, as a result of a misunderstanding of how gb18030 encodes\n+them.\n+\n+this patch replaces the unmapped character lookup with a single linear\n+search of a list of unmapped ranges. there are only 206 such ranges,\n+and these are permanently assigned and unchangeable as a consequence\n+of the character encoding having to be stable, so a simple array of\n+16-bit start/length values for each range consumes only 824 bytes, a\n+very reasonable size cost here.\n+\n+this new table accounts for the previously-incorrect surrogate\n+handling, and non-BMP characters are handled correctly by a single\n+offset, without the need for any unmapped-range search.\n+\n+there are still a small number of mappings that are incorrect due to\n+late changes made in the definition of gb18030, swapping PUA\n+codepoints with proper Unicode characters. correcting these requires a\n+postprocessing step that will be added later.\n+\n+CVE: CVE-2026-6042\n+Upstream: https://git.musl-libc.org/cgit/musl/commit/?id=67219f0130ec7c876ac0b299046460fad31caabf\n+Signed-off-by: Fiona Klute <fiona.klute@gmx.de>\n+---\n+ src/locale/gb18030utf.h | 206 ++++++++++++++++++++++++++++++++++++++++\n+ src/locale/iconv.c      |  33 +++++--\n+ 2 files changed, 230 insertions(+), 9 deletions(-)\n+ create mode 100644 src/locale/gb18030utf.h\n+\n+diff --git a/src/locale/gb18030utf.h b/src/locale/gb18030utf.h\n+new file mode 100644\n+index 00000000..322a2440\n+--- /dev/null\n++++ b/src/locale/gb18030utf.h\n+@@ -0,0 +1,206 @@\n++{ 0x80, 36 },\n++{ 0xa5, 2 },\n++{ 0xa9, 7 },\n++{ 0xb2, 5 },\n++{ 0xb8, 31 },\n++{ 0xd8, 8 },\n++{ 0xe2, 6 },\n++{ 0xeb, 1 },\n++{ 0xee, 4 },\n++{ 0xf4, 3 },\n++{ 0xf8, 1 },\n++{ 0xfb, 1 },\n++{ 0xfd, 4 },\n++{ 0x102, 17 },\n++{ 0x114, 7 },\n++{ 0x11c, 15 },\n++{ 0x12c, 24 },\n++{ 0x145, 3 },\n++{ 0x149, 4 },\n++{ 0x14e, 29 },\n++{ 0x16c, 98 },\n++{ 0x1cf, 1 },\n++{ 0x1d1, 1 },\n++{ 0x1d3, 1 },\n++{ 0x1d5, 1 },\n++{ 0x1d7, 1 },\n++{ 0x1d9, 1 },\n++{ 0x1db, 1 },\n++{ 0x1dd, 28 },\n++{ 0x1fa, 87 },\n++{ 0x252, 15 },\n++{ 0x262, 101 },\n++{ 0x2c8, 1 },\n++{ 0x2cc, 13 },\n++{ 0x2da, 183 },\n++{ 0x3a2, 1 },\n++{ 0x3aa, 7 },\n++{ 0x3c2, 1 },\n++{ 0x3ca, 55 },\n++{ 0x402, 14 },\n++{ 0x450, 1 },\n++{ 0x452, 7102 },\n++{ 0x2011, 2 },\n++{ 0x2017, 1 },\n++{ 0x201a, 2 },\n++{ 0x201e, 7 },\n++{ 0x2027, 9 },\n++{ 0x2031, 1 },\n++{ 0x2034, 1 },\n++{ 0x2036, 5 },\n++{ 0x203c, 112 },\n++{ 0x20ad, 86 },\n++{ 0x2104, 1 },\n++{ 0x2106, 3 },\n++{ 0x210a, 12 },\n++{ 0x2117, 10 },\n++{ 0x2122, 62 },\n++{ 0x216c, 4 },\n++{ 0x217a, 22 },\n++{ 0x2194, 2 },\n++{ 0x219a, 110 },\n++{ 0x2209, 6 },\n++{ 0x2210, 1 },\n++{ 0x2212, 3 },\n++{ 0x2216, 4 },\n++{ 0x221b, 2 },\n++{ 0x2221, 2 },\n++{ 0x2224, 1 },\n++{ 0x2226, 1 },\n++{ 0x222c, 2 },\n++{ 0x222f, 5 },\n++{ 0x2238, 5 },\n++{ 0x223e, 10 },\n++{ 0x2249, 3 },\n++{ 0x224d, 5 },\n++{ 0x2253, 13 },\n++{ 0x2262, 2 },\n++{ 0x2268, 6 },\n++{ 0x2270, 37 },\n++{ 0x2296, 3 },\n++{ 0x229a, 11 },\n++{ 0x22a6, 25 },\n++{ 0x22c0, 82 },\n++{ 0x2313, 333 },\n++{ 0x246a, 10 },\n++{ 0x249c, 100 },\n++{ 0x254c, 4 },\n++{ 0x2574, 13 },\n++{ 0x2590, 3 },\n++{ 0x2596, 10 },\n++{ 0x25a2, 16 },\n++{ 0x25b4, 8 },\n++{ 0x25be, 8 },\n++{ 0x25c8, 3 },\n++{ 0x25cc, 2 },\n++{ 0x25d0, 18 },\n++{ 0x25e6, 31 },\n++{ 0x2607, 2 },\n++{ 0x260a, 54 },\n++{ 0x2641, 1 },\n++{ 0x2643, 2110 },\n++{ 0x2e82, 2 },\n++{ 0x2e85, 3 },\n++{ 0x2e89, 2 },\n++{ 0x2e8d, 10 },\n++{ 0x2e98, 15 },\n++{ 0x2ea8, 2 },\n++{ 0x2eab, 3 },\n++{ 0x2eaf, 4 },\n++{ 0x2eb4, 2 },\n++{ 0x2eb8, 3 },\n++{ 0x2ebc, 14 },\n++{ 0x2ecb, 293 },\n++{ 0x2ffc, 4 },\n++{ 0x3004, 1 },\n++{ 0x3018, 5 },\n++{ 0x301f, 2 },\n++{ 0x302a, 20 },\n++{ 0x303f, 2 },\n++{ 0x3094, 7 },\n++{ 0x309f, 2 },\n++{ 0x30f7, 5 },\n++{ 0x30ff, 6 },\n++{ 0x312a, 246 },\n++{ 0x322a, 7 },\n++{ 0x3232, 113 },\n++{ 0x32a4, 234 },\n++{ 0x3390, 12 },\n++{ 0x339f, 2 },\n++{ 0x33a2, 34 },\n++{ 0x33c5, 9 },\n++{ 0x33cf, 2 },\n++{ 0x33d3, 2 },\n++{ 0x33d6, 113 },\n++{ 0x3448, 43 },\n++{ 0x3474, 298 },\n++{ 0x359f, 111 },\n++{ 0x360f, 11 },\n++{ 0x361b, 765 },\n++{ 0x3919, 85 },\n++{ 0x396f, 96 },\n++{ 0x39d1, 14 },\n++{ 0x39e0, 147 },\n++{ 0x3a74, 218 },\n++{ 0x3b4f, 287 },\n++{ 0x3c6f, 113 },\n++{ 0x3ce1, 885 },\n++{ 0x4057, 264 },\n++{ 0x4160, 471 },\n++{ 0x4338, 116 },\n++{ 0x43ad, 4 },\n++{ 0x43b2, 43 },\n++{ 0x43de, 248 },\n++{ 0x44d7, 373 },\n++{ 0x464d, 20 },\n++{ 0x4662, 193 },\n++{ 0x4724, 5 },\n++{ 0x472a, 82 },\n++{ 0x477d, 16 },\n++{ 0x478e, 441 },\n++{ 0x4948, 50 },\n++{ 0x497b, 2 },\n++{ 0x497e, 4 },\n++{ 0x4984, 1 },\n++{ 0x4987, 20 },\n++{ 0x499c, 3 },\n++{ 0x49a0, 22 },\n++{ 0x49b8, 703 },\n++{ 0x4c78, 39 },\n++{ 0x4ca4, 111 },\n++{ 0x4d1a, 148 },\n++{ 0x4daf, 81 },\n++{ 0x9fa6, 14426 },\n++{ 0xe76c, 1 },\n++{ 0xe7c8, 1 },\n++{ 0xe7e7, 13 },\n++{ 0xe815, 1 },\n++{ 0xe819, 5 },\n++{ 0xe81f, 7 },\n++{ 0xe827, 4 },\n++{ 0xe82d, 4 },\n++{ 0xe833, 8 },\n++{ 0xe83c, 7 },\n++{ 0xe844, 16 },\n++{ 0xe856, 14 },\n++{ 0xe865, 4295 },\n++{ 0xf92d, 76 },\n++{ 0xf97a, 27 },\n++{ 0xf996, 81 },\n++{ 0xf9e8, 9 },\n++{ 0xf9f2, 26 },\n++{ 0xfa10, 1 },\n++{ 0xfa12, 1 },\n++{ 0xfa15, 3 },\n++{ 0xfa19, 6 },\n++{ 0xfa22, 1 },\n++{ 0xfa25, 2 },\n++{ 0xfa2a, 1030 },\n++{ 0xfe32, 1 },\n++{ 0xfe45, 4 },\n++{ 0xfe53, 1 },\n++{ 0xfe58, 1 },\n++{ 0xfe67, 1 },\n++{ 0xfe6c, 149 },\n++{ 0xff5f, 129 },\n++{ 0xffe6, 26 },\n+diff --git a/src/locale/iconv.c b/src/locale/iconv.c\n+index 52178950..4151411d 100644\n+--- a/src/locale/iconv.c\n++++ b/src/locale/iconv.c\n+@@ -74,6 +74,10 @@ static const unsigned short gb18030[126][190] = {\n+ #include \"gb18030.h\"\n+ };\n+ \n++static const unsigned short gb18030utf[][2] = {\n++#include \"gb18030utf.h\"\n++};\n++\n+ static const unsigned short big5[89][157] = {\n+ #include \"big5.h\"\n+ };\n+@@ -224,6 +228,8 @@ static unsigned uni_to_jis(unsigned c)\n+ \t}\n+ }\n+ \n++#define countof(a) (sizeof (a) / sizeof *(a))\n++\n+ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restrict out, size_t *restrict outb)\n+ {\n+ \tsize_t x=0;\n+@@ -430,15 +436,24 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri\n+ \t\t\t\td = *((unsigned char *)*in + 3);\n+ \t\t\t\tif (d-'0'>9) goto ilseq;\n+ \t\t\t\tc += d-'0';\n+-\t\t\t\tc += 128;\n+-\t\t\t\tfor (d=0; d<=c; ) {\n+-\t\t\t\t\tk = 0;\n+-\t\t\t\t\tfor (int i=0; i<126; i++)\n+-\t\t\t\t\t\tfor (int j=0; j<190; j++)\n+-\t\t\t\t\t\t\tif (gb18030[i][j]-d <= c-d)\n+-\t\t\t\t\t\t\t\tk++;\n+-\t\t\t\t\td = c+1;\n+-\t\t\t\t\tc += k;\n++\t\t\t\t/* Starting at 90 30 81 30 (189000), mapping is\n++\t\t\t\t * linear without gaps, to U+10000 and up. */\n++\t\t\t\tif (c >= 189000) {\n++\t\t\t\t\tc -= 189000;\n++\t\t\t\t\tc += 0x10000;\n++\t\t\t\t\tif (c >= 0x110000) goto ilseq;\n++\t\t\t\t\tbreak;\n++\t\t\t\t}\n++\t\t\t\t/* Otherwise we must process an index into set\n++\t\t\t\t * of characters unmapped by 2-byte table. */\n++\t\t\t\tfor (int i=0; ; i++) {\n++\t\t\t\t\tif (i==countof(gb18030utf))\n++\t\t\t\t\t\tgoto ilseq;\n++\t\t\t\t\tif (c<gb18030utf[i][1]) {\n++\t\t\t\t\t\tc += gb18030utf[i][0];\n++\t\t\t\t\t\tbreak;\n++\t\t\t\t\t}\n++\t\t\t\t\tc -= gb18030utf[i][1];\n+ \t\t\t\t}\n+ \t\t\t\tbreak;\n+ \t\t\t}\n+-- \n+2.53.0\n+\ndiff --git a/package/musl/musl.mk b/package/musl/musl.mk\nindex bea9029455..29a9c90ce1 100644\n--- a/package/musl/musl.mk\n+++ b/package/musl/musl.mk\n@@ -26,6 +26,9 @@ MUSL_ADD_TOOLCHAIN_DEPENDENCY = NO\n \n MUSL_INSTALL_STAGING = YES\n \n+# 0003-fix-pathological-slowness-incorrect-mappings-in-icon.patch\n+MUSL_IGNORE_CVES += CVE-2026-6042\n+\n # musl does not build with LTO, so explicitly disable it\n # when using a compiler that may have support for LTO\n ifeq ($(BR2_TOOLCHAIN_GCC_AT_LEAST_4_7),y)\n","prefixes":["1/2"]}