Workaround for CVE-2024-2961 on NixOS
This repository has been archived on 2024-05-20. You can view files and clone it, but cannot push or open issues or pull requests.
Go to file
2024-04-27 00:42:32 +02:00
README.md add cautionary notice about using this workaround in conjunction with Hydra builds 2024-04-27 00:42:32 +02:00
remove-iso2022cnext.patch Initial commit 2024-04-23 14:26:48 +02:00
workaround-cve-2024-2961.nix Initial commit 2024-04-23 14:26:48 +02:00

Workaround for CVE-2024-2961 on NixOS

This Nix snippet implements the workaround to CVE-2024-2961 as described by the Rocky Linux team. Also a big thanks to Martin Weinelt for making this work without rebuilding every single package on your computer.

How to apply

Clone this repository and add the path to workaround-cve-2024-2961.nix to the imports attribute of your configuration.nix, like this:

{ config, pkgs, ... }: {

  ...

  imports = [
    ...
    <path-to-repo>/nixos-workaround-cve-2024-2961/workaround-cve-2024-2961.nix
  ];

  ...
}

Caveats

  • Keep in mind that this workaround disables encoding conversion to/from the ISO-2022-CN-EXT Chinese text encoding. If this is something you or your users need, you cannot apply this workaround or things will break.
  • This will make your computer build glibc by itself, which, depending on your hardware, may take a long time. If your servers don't have a lot of computing resources, consider building the patched version of glibc on your local computer and then pushing its closure to your server. If you understand what I just said, you'll know what to do.
  • Be careful if you use Hydra to build your system environment. As @sandro pointed out, this may have unforeseen consequences. Thanks for the heads-up!