Fix musl's CVE-2025-26519

[pietroalbini]

The musl project announced CVE-2025-26519, which could result in out-of-bounds writes when calling the iconv function. There is no musl release available with the fixes at this point in time (and we're using an older version of musl anyway), so this PR applies the provided patches on top of the musl source tarball we download.

[rustbot]

r? @Mark-Simulacrum

rustbot has assigned @Mark-Simulacrum.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[pietroalbini]

@bors p=100

Security fix, I want to land this on master as soon as possible, so that we can consider applying it to the upcoming 1.85.0 release.

[jieyouxu]

I double-checked:

• The linked advisory itself
• The two patches; I manually double-checked that they match with the PR changes

Thanks. You can r=me unless this specifically needs T-infra review or you want to run some try-job.

[pietroalbini]

@bors r=jieyouxu p=100

[bors]

📌 Commit ba4bcc1 has been approved by jieyouxu

It is now in the queue for this repository.

[pietroalbini]

@bors r-

Groan tidy is being annoying.

[jieyouxu]

I would slap a # ignore-tidy-tab + # ignore-tidy-linelength or whatever that's called¹, to avoid changing the patch itself.

Footnotes

1. https://github.com/rust-lang/rust/blob/4229b80f506d5c1e6267f27e69f10fa3bd3c8f9e/src/tools/tidy/src/style.rs#L76-L81 ↩

[pietroalbini]

Added tidy ignores.

@bors r=jieyouxu p=100

[bors]

📌 Commit 6ee3949 has been approved by jieyouxu

It is now in the queue for this repository.

[bors]

⌛ Testing commit 6ee3949 with merge befcc38...

[bors]

💔 Test failed - checks-actions

[jieyouxu]

Hm...

2025-02-16T14:08:29.7855620Z 15.62 Reversed (or previously applied) patch detected!  Assume -R? [n] 
2025-02-16T14:08:29.7856276Z 15.62 Apply anyway? [n] 
2025-02-16T14:08:29.7856710Z 15.62 Skipping patch.
2025-02-16T14:08:29.7857296Z 15.62 1 out of 1 hunk ignored -- saving rejects to file src/locale/iconv.c.rej

[pietroalbini]

Ok tested locally again (and this time tested running the script multiple times too).

[jieyouxu]

Let's try this again 🙏
@bors r+

[bors]

📌 Commit a6ee2f4 has been approved by jieyouxu

It is now in the queue for this repository.

[bors]

⌛ Testing commit a6ee2f4 with merge 5bc6231...

[bors]

☀️ Test successful - checks-actions
Approved by: jieyouxu
Pushing 5bc6231 to master...

[rust-timer]

Finished benchmarking commit (5bc6231): comparison URL.

Overall result: no relevant changes - no action needed

@rustbot label: -perf-regression

Instruction count

This benchmark run did not return any relevant results for this metric.

Max RSS (memory usage)

Results (primary 2.5%)

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

	mean	range	count
Regressions ❌ (primary)	2.5%	[2.5%, 2.5%]	1
Regressions ❌ (secondary)	-	-	0
Improvements ✅ (primary)	-	-	0
Improvements ✅ (secondary)	-	-	0
All ❌✅ (primary)	2.5%	[2.5%, 2.5%]	1

Cycles

This benchmark run did not return any relevant results for this metric.

Binary size

This benchmark run did not return any relevant results for this metric.

Bootstrap: 790.819s -> 790.255s (-0.07%)
Artifact size: 350.06 MiB -> 350.01 MiB (-0.01%)

[cuviper]

(Wearing my security response hat...)

@rustup label stable-accepted beta-accepted

[cuviper]

Oops...

@rustbot label stable-accepted beta-accepted