4 files changed, 42 insertions, 37 deletions

diff --git a/src/ci/channel b/src/ci/channel
index 65b2df87f7d..2bf5ad0447d 100644
--- a/src/ci/channel
+++ b/src/ci/channel
@@ -1 +1 @@
-beta
+stable
diff --git a/src/ci/docker/scripts/musl.sh b/src/ci/docker/scripts/musl.sh
index ece8e6c15c0..9878bec6fbe 100644
--- a/src/ci/docker/scripts/musl.sh
+++ b/src/ci/docker/scripts/musl.sh
@@ -30,6 +30,47 @@ MUSL=musl-1.2.3
 # may have been downloaded in a previous run
 if [ ! -d $MUSL ]; then
   curl https://www.musl-libc.org/releases/$MUSL.tar.gz | tar xzf -
+
+  # Apply patches for CVE-2025-26519. At the time of adding these patches no release containing them
+  # has been published by the musl project, so we just apply them directly on top of the version we
+  # were distributing already. The patches should be removed once we upgrade to musl >= 1.2.6.
+  #
+  # Advisory: https://www.openwall.com/lists/musl/2025/02/13/1
+  #
+  # Patches applied:
+  # - https://www.openwall.com/lists/musl/2025/02/13/1/1
+  # - https://www.openwall.com/lists/musl/2025/02/13/1/2
+  #
+  # ignore-tidy-tab
+  # ignore-tidy-linelength
+  patch -p1 -d $MUSL <<EOF
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 			if (c >= 93 || d >= 94) {
+ 				c += (0xa1-0x81);
+ 				d += 0xa1;
+-				if (c >= 93 || c>=0xc6-0x81 && d>0x52)
++				if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
+ 					goto ilseq;
+ 				if (d-'A'<26) d = d-'A';
+ 				else if (d-'a'<26) d = d-'a'+26;
+EOF
+  patch -p1 -d $MUSL <<EOF
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 				if (*outb < k) goto toobig;
+ 				memcpy(*out, tmp, k);
+ 			} else k = wctomb_utf8(*out, c);
++			/* This failure condition should be unreachable, but
++			 * is included to prevent decoder bugs from translating
++			 * into advancement outside the output buffer range. */
++			if (k>4) goto ilseq;
+ 			*out += k;
+ 			*outb -= k;
+ 			break;
+EOF
 fi
 
 cd $MUSL
diff --git a/src/ci/scripts/setup-upstream-remote.sh b/src/ci/scripts/setup-upstream-remote.sh
deleted file mode 100755
index 52b4c98a890..00000000000
--- a/src/ci/scripts/setup-upstream-remote.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/bash
-# In CI environments, bootstrap is forced to use the remote upstream based
-# on "git_repository" and "nightly_branch" values from src/stage0 file.
-# This script configures the remote as it may not exist by default.
-
-set -euo pipefail
-IFS=$'\n\t'
-
-ci_dir=$(cd $(dirname $0) && pwd)/..
-source "$ci_dir/shared.sh"
-
-git_repository=$(parse_stage0_file_by_key "git_repository")
-nightly_branch=$(parse_stage0_file_by_key "nightly_branch")
-
-# Configure "rust-lang/rust" upstream remote only when it's not origin.
-if [ -z "$(git config remote.origin.url | grep $git_repository)" ]; then
-    echo "Configuring https://github.com/$git_repository remote as upstream."
-    git remote add upstream "https://github.com/$git_repository"
-    REMOTE_NAME="upstream"
-else
-    REMOTE_NAME="origin"
-fi
-
-git fetch $REMOTE_NAME $nightly_branch
diff --git a/src/ci/shared.sh b/src/ci/shared.sh
index 9fce68947f4..76464add75d 100644
--- a/src/ci/shared.sh
+++ b/src/ci/shared.sh
@@ -137,15 +137,3 @@ function releaseChannel {
         echo $RUST_CI_OVERRIDE_RELEASE_CHANNEL
     fi
 }
-
-# Parse values from src/stage0 file by key
-function parse_stage0_file_by_key {
-    local key="$1"
-    local file="$ci_dir/../stage0"
-    local value=$(awk -F= '{a[$1]=$2} END {print(a["'$key'"])}' $file)
-    if [ -z "$value" ]; then
-        echo "ERROR: Key '$key' not found in '$file'."
-        exit 1
-    fi
-    echo "$value"
-}