mart-w
/
nixos-workaround-cve-2024-2961
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Workaround for CVE-2024-2961 on NixOS
3 Commits
1 Branch
0 Tags
33 KiB
Nix 100%
 
Go to file
Martin Wurm 47bce4e554 add cautionary notice about using this workaround in conjunction with Hydra builds 2024-04-27 00:42:32 +02:00
README.md add cautionary notice about using this workaround in conjunction with Hydra builds 2024-04-27 00:42:32 +02:00
remove-iso2022cnext.patch Initial commit 2024-04-23 14:26:48 +02:00
workaround-cve-2024-2961.nix Initial commit 2024-04-23 14:26:48 +02:00

README.md

Workaround for CVE-2024-2961 on NixOS

This Nix snippet implements the workaround to CVE-2024-2961 as described by the Rocky Linux team. Also a big thanks to Martin Weinelt for making this work without rebuilding every single package on your computer.

How to apply

Clone this repository and add the path to workaround-cve-2024-2961.nix to the imports attribute of your configuration.nix, like this:

{ config, pkgs, ... }: {

  ...

  imports = [
    ...
    <path-to-repo>/nixos-workaround-cve-2024-2961/workaround-cve-2024-2961.nix
  ];

  ...
}

Caveats

  • Keep in mind that this workaround disables encoding conversion to/from the ISO-2022-CN-EXT Chinese text encoding. If this is something you or your users need, you cannot apply this workaround or things will break.
  • This will make your computer build glibc by itself, which, depending on your hardware, may take a long time. If your servers don't have a lot of computing resources, consider building the patched version of glibc on your local computer and then pushing its closure to your server. If you understand what I just said, you'll know what to do.
  • Be careful if you use Hydra to build your system environment. As @sandro pointed out, this may have unforeseen consequences. Thanks for the heads-up!