musl libc Out-of-Bounds Write Vulnerability in iconv Conversion from EUC-KR to UTF-8

A vulnerability exists in musl libc versions 0.9.13 through 1.2.5 prior to 1.2.6, allowing out-of-bounds memory writes. This issue arises when an application uses the iconv function to convert untrusted EUC-KR text to UTF-8, particularly when the input charset is controlled by the user. The vulnerability is triggered by incorrect validation of input bytes in the EUC-KR decoder, combined with the UTF-8 encoder's assumption that all input characters are valid Unicode Scalar Values.

Impact

Exploitation of this vulnerability can lead to memory corruption by allowing writes beyond the allocated buffer, potentially overwriting critical data or control structures.

Reproduction

To reproduce this vulnerability, an application must call iconv_open with EUC-KR as the input encoding and UTF-8 as the output encoding. After obtaining the conversion descriptor, the application should process untrusted input, such as that from declared MIME charsets in XML, HTML, or MIME-encoded emails. The vulnerability can be verified by using a test program that checks for improper adjustments to the output buffer pointer after the conversion.

Remediation

Users should apply the available patches to fix the vulnerability and can obtain updated musl libc packages through their distribution's update channels. For static-linked binaries that cannot be relinked, the vulnerability can be mitigated by hex-editing the binary to disable EUC-KR support, making the vulnerable code unreachable.