nixos-workaround-cve-2024-2961/README.md

# Workaround for CVE-2024-2961 on NixOS
This Nix snippet implements the workaround to CVE-2024-2961 as described by
[the Rocky Linux team](https://rockylinux.org/news/glibc-vulnerability-april-2024/).
Also a big thanks to [Martin Weinelt](https://github.com/mweinelt) for making
this work without rebuilding every single package on your computer.

## How to apply
Clone this repository and add the path to `workaround-cve-2024-2961.nix`
to the `imports` attribute of your `configuration.nix`, like this:

```nix
{ config, pkgs, ... }: {

  ...

  imports = [
    ...
    <path-to-repo>/nixos-workaround-cve-2024-2961/workaround-cve-2024-2961.nix
  ];

  ...
}
```

## Caveats
- Keep in mind that this workaround disables encoding conversion to/from the
  ISO-2022-CN-EXT Chinese text encoding. If this is something you or your users
  need, you cannot apply this workaround or things will break.
- This will make your computer build `glibc` by itself, which, depending on
  your hardware, may take a long time. If your servers don't have a lot of
  computing resources, consider building the patched version of glibc on your
  local computer and then pushing its closure to your server. If you understand
  what I just said, you'll know what to do.
- Be careful if you use Hydra to build your system environment.
  [As @sandro pointed out](https://c3d2.social/@sandro/112337941452150951),
  this may have unforeseen consequences. Thanks for the heads-up!
Initial commit 2024-04-23 14:26:48 +02:00			`# Workaround for CVE-2024-2961 on NixOS`
			`This Nix snippet implements the workaround to CVE-2024-2961 as described by`
			`[the Rocky Linux team](https://rockylinux.org/news/glibc-vulnerability-april-2024/).`
			`Also a big thanks to [Martin Weinelt](https://github.com/mweinelt) for making`
			`this work without rebuilding every single package on your computer.`

			`## How to apply`
			Clone this repository and add the path to `workaround-cve-2024-2961.nix`
			to the `imports` attribute of your `configuration.nix`, like this:

			```nix
			`{ config, pkgs, ... }: {`

			`...`

			`imports = [`
			`...`
			`<path-to-repo>/nixos-workaround-cve-2024-2961/workaround-cve-2024-2961.nix`
			`];`

			`...`
			`}`
			```

			`## Caveats`
Add note about having to rebuild glibc 2024-04-23 14:30:19 +02:00			`- Keep in mind that this workaround disables encoding conversion to/from the`
			`ISO-2022-CN-EXT Chinese text encoding. If this is something you or your users`
			`need, you cannot apply this workaround or things will break.`
			- This will make your computer build `glibc` by itself, which, depending on
			`your hardware, may take a long time. If your servers don't have a lot of`
			`computing resources, consider building the patched version of glibc on your`
			`local computer and then pushing its closure to your server. If you understand`
			`what I just said, you'll know what to do.`
add cautionary notice about using this workaround in conjunction with Hydra builds 2024-04-27 00:42:32 +02:00			`- Be careful if you use Hydra to build your system environment.`
			`[As @sandro pointed out](https://c3d2.social/@sandro/112337941452150951),`
			`this may have unforeseen consequences. Thanks for the heads-up!`