Conversation

Notices

1. Embed this notice
   musl libc (musl@fosstodon.org)'s status on Friday, 14-Feb-2025 02:19:30 JST musl libc

   Security Advisory (CVE-2025-26519) for musl libc:

   https://www.openwall.com/lists/musl/2025/02/13/1

   All users running applications which use iconv with untrusted input (see link for details of what usage is affected) should patch ASAP.

   • Rich Felker repeated this.
   • Embed this notice
     musl libc (musl@fosstodon.org)'s status on Friday, 14-Feb-2025 06:21:27 JST musl libc

     in reply to

     musl-cross-make has now also been updated to apply the CVE-2025-26519 patches to all supported musl versions when building: https://github.com/richfelker/musl-cross-make/commit/7b4c7b315226835bab03da73a45945acb1b3bedf

     Rich Felker repeated this.
   • Embed this notice
     fossdd @ FOSDEM (fossdd@chaos.social)'s status on Friday, 14-Feb-2025 06:31:52 JST fossdd @ FOSDEM

     in reply to

     @musl patched in Alpine :)

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     musl libc (musl@fosstodon.org)'s status on Friday, 14-Feb-2025 07:13:02 JST musl libc

     in reply to

     Some clarification on impact: The most likely impacted programs are things which process data received in arbitrary text encodings.

     For example, mutt (mail user agent) is definitely affected. Other mail clients, web browsers, etc. that use iconv rather than their own converters are probably affected too.

     Rich Felker repeated this.
   • Embed this notice
     musl libc (musl@fosstodon.org)'s status on Friday, 14-Feb-2025 07:13:03 JST musl libc

     in reply to

     FWIW, libxml2 looks like it would be affected except that it refuses to convert *from* an encoding unless iconv also supports conversion *to* that encoding, and musl does not have encoders for most legacy DBCSs, only decoders.

     Haelwenn /элвэн/ :triskell: likes this.