bootstrap.sh

@@ -21,10 +21,10 @@ export TT_SYSROOT=$BOOTSTRAP/root
 export TT_TARGET=$TARGET
 
 # Fetch sources required for a bootstrap
-./treetap fetch sources/busybox.spec
-./treetap fetch sources/linux.spec
-./treetap fetch sources/llvm.spec
-./treetap fetch sources/musl.spec
+./treetap fetch sources/busybox/busybox.spec
+./treetap fetch sources/linux/linux.spec
+./treetap fetch sources/llvm/llvm.spec
+./treetap fetch sources/musl/musl.spec
 
 # Simplified filesystem heirarchy with symlinks for compatibility
 mkdir -p $BOOTSTRAP/root/{bin,boot/EFI/BOOT,dev,etc,home,lib,proc,run,sys,tmp,usr/{include,share},var/{cache,lib,log,spool,tmp}}

sources/busybox.spec

@@ -1,4 +0,0 @@
-SRC_HASH="b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314"
-SRC_NAME="busybox"
-SRC_URL="https://busybox.net/downloads/busybox-1.36.1.tar.bz2"
-SRC_VERSION="1.36.1"

sources/busybox/busybox.spec

@@ -0,0 +1,28 @@
+# Maintainer: Alexander Hill <ahill@breadpudding.dev>
+SRC_HASH="b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314"
+SRC_NAME="busybox"
+SRC_URL="https://busybox.net/downloads/busybox-1.36.1.tar.bz2"
+SRC_VERSION="1.36.1"
+
+build() {
+    tar xf ../$SRC_FILENAME
+    cd busybox-*/
+    # NOTE: For some reason, Busybox hard-codes GNU tools in the Makefile. This
+    #       simple hack allows the environment to override the Makefile. ~ahill
+    sed -i "s/?*= \$(CROSS_COMPILE)/?= /" Makefile
+    make -O -j $TT_PROCS defconfig
+    # FIXME: tc complains about undefined values, causing the compilation to
+    #        fail. What causes this? ~ahill
+    sed -i "s/CONFIG_TC=.*/CONFIG_TC=n/" .config
+    make -O -j $TT_PROCS
+}
+
+clean() {
+    rm -rf busybox-*/
+}
+
+package() {
+    # NOTE: Busybox doesn't have a proper DESTDIR, so we just set CONFIG_PREFIX
+    #       during the install to work around this limitation. ~ahill
+    make -O -j $TT_PROCS install CONFIG_PREFIX=$TT_INSTALLDIR
+}

sources/linux/linux.spec

@@ -1,3 +1,4 @@
+# Maintainer: Alexander Hill <ahill@breadpudding.dev>
 SRC_HASH="5a8de64a75fca706c01c6c0a77cf75a74618439db195e25f1f0268af6b2fb1da"
 SRC_NAME="linux"
 SRC_URL="https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.17.8.tar.xz"

sources/llvm/llvm.spec

@@ -1,3 +1,4 @@
+# Maintainer: Alexander Hill <ahill@breadpudding.dev>
 SRC_HASH="1794be4bf974e99a3fe1da4b2b9b1456c02ae9479c942f365441d8d207bd650c"
 SRC_NAME="llvm"
 SRC_URL="https://github.com/llvm/llvm-project/releases/download/llvmorg-21.1.5/llvm-project-21.1.5.src.tar.xz"

sources/musl/CVE-2025-26519.patch

@@ -0,0 +1,74 @@
+>From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Sun, 9 Feb 2025 10:07:19 -0500
+Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
+
+as a result of incorrect bounds checking on the lead byte being
+decoded, certain invalid inputs which should produce an encoding
+error, such as "\xc8\x41", instead produced out-of-bounds loads from
+the ksc table.
+
+in a worst case, the loaded value may not be a valid unicode scalar
+value, in which case, if the output encoding was UTF-8, wctomb would
+return (size_t)-1, causing an overflow in the output pointer and
+remaining buffer size which could clobber memory outside of the output
+buffer.
+
+bug report was submitted in private by Nick Wellnhofer on account of
+potential security implications.
+---
+ src/locale/iconv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 9605c8e9..008c93f0 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 			if (c >= 93 || d >= 94) {
+ 				c += (0xa1-0x81);
+ 				d += 0xa1;
+-				if (c >= 93 || c>=0xc6-0x81 && d>0x52)
++				if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
+ 					goto ilseq;
+ 				if (d-'A'<26) d = d-'A';
+ 				else if (d-'a'<26) d = d-'a'+26;
+-- 
+2.21.0
+
+>From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 12 Feb 2025 17:06:30 -0500
+Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
+ bugs
+
+the UTF-8 output code was written assuming an invariant that iconv's
+decoders only emit valid Unicode Scalar Values which wctomb can encode
+successfully, thereby always returning a value between 1 and 4.
+
+if this invariant is not satisfied, wctomb returns (size_t)-1, and the
+subsequent adjustments to the output buffer pointer and remaining
+output byte count overflow, moving the output position backwards,
+potentially past the beginning of the buffer, without storing any
+bytes.
+---
+ src/locale/iconv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 008c93f0..52178950 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 				if (*outb < k) goto toobig;
+ 				memcpy(*out, tmp, k);
+ 			} else k = wctomb_utf8(*out, c);
++			/* This failure condition should be unreachable, but
++			 * is included to prevent decoder bugs from translating
++			 * into advancement outside the output buffer range. */
++			if (k>4) goto ilseq;
+ 			*out += k;
+ 			*outb -= k;
+ 			break;
+-- 
+2.21.0

sources/musl/musl.spec

@@ -1,13 +1,20 @@
+# Maintainer: Alexander Hill <ahill@breadpudding.dev>
 SRC_HASH="a9a118bbe84d8764da0ea0d28b3ab3fae8477fc7e4085d90102b8596fc7c75e4"
 SRC_NAME="musl"
+SRC_PATCHES="
+c0ffd0493dcde91850e39428a31577892aad20e83bc4bf4a5c37350649ce7932  CVE-2025-26519.patch
+"
 SRC_URL="https://musl.libc.org/releases/musl-1.2.5.tar.gz"
-SRC_VERSION="1.2.5"
-
-# TODO: CVE-2025-26519
+SRC_VERSION="1.2.5r1"
 
 build() {
-    tar xf ../musl-*.tar*
+    tar xf ../$SRC_FILENAME
     cd musl-*/
+    # NOTE: CVE-2025-26519 patches are temporary and shouldn't be needed once
+    #       1.2.6 or 1.3.0 is released. ~ahill
+    # https://www.openwall.com/lists/musl/2025/02/13/1/1
+    # https://www.openwall.com/lists/musl/2025/02/13/1/2
+    patch -p1 < ../CVE-2025-26519.patch
     ./configure \
         --bindir=$TT_BINDIR \
         --build=$TT_BUILD \

treetap

@@ -18,16 +18,19 @@
 # Changelog #
 #############
 
+# November 14, 2025 (1.1.0)
+# + Added the ability to incorporate patches into the build [ahill]
+
 # November 13, 2025 (1.0.2)
-# + Added the target triple to the package path
-# * Prevented fetch from re-downloading packages given a valid hash
-# * Renamed all TREETAP_* variables to TT_*
+# + Added the target triple to the package path [ahill]
+# * Prevented fetch from re-downloading packages given a valid hash [ahill]
+# * Renamed all TREETAP_* variables to TT_* [ahill]
 
 # November 11, 2025 (1.0.1)
-# - Removed bashisms to become POSIX compliant
+# - Removed bashisms to become POSIX compliant [ahill]
 
 # November 9, 2025 (1.0.0)
-# * Initial release
+# * Initial release [ahill]
 
 ####################
 # Global Variables #
@@ -36,7 +39,7 @@
 [ -z "$TT_DIR" ] && TT_DIR="$(pwd)/.treetap"
 [ -z "$TT_PKGDIR" ] && TT_PKGDIR="$TT_DIR/packages"
 [ -z "$TT_SYSROOT" ] && TT_SYSROOT=/
-TT_VERSION="1.0.2"
+TT_VERSION="1.1.0"
 
 #####################
 # Utility Functions #
@@ -140,9 +143,22 @@ package_uninstall() {
 source_build() {
     source_spec $1
     mkdir -p $TT_BUILDDIR
+    if [ ! -z "$SRC_PATCHES" ]; then
+        echo "Validating patches for $SRC_NAME $SRC_VERSION"
+        cd $(dirname $1)
+        echo $SRC_PATCHES | sha256sum -c - > /dev/null
+        # Is this even the right way to check a return value? ~ahill
+        if [ ! "$?" = "0" ]; then
+            echo "Failed to validate patches for $SRC_NAME $SRC_VERSION"
+            exit 1
+        fi
+        echo $SRC_PATCHES | while read line; do
+            cp $(echo $line | cut -d" " -f2) $TT_BUILDDIR/
+        done
+    fi
+    echo "Building $SRC_NAME $SRC_VERSION"
     PUSHD=$(pwd)
     cd $TT_BUILDDIR
-    echo "Building $SRC_NAME $SRC_VERSION"
     build > build-$(date +%Y%m%d%H%M%S).log 2>&1
     cd $PUSHD
     exit 0