commit db985544192a2cc7896964825c4b6172ae909e87 Author: Martin Wurm Date: Tue Apr 23 14:26:48 2024 +0200 Initial commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..5a5d515 --- /dev/null +++ b/README.md @@ -0,0 +1,28 @@ +# Workaround for CVE-2024-2961 on NixOS +This Nix snippet implements the workaround to CVE-2024-2961 as described by +[the Rocky Linux team](https://rockylinux.org/news/glibc-vulnerability-april-2024/). +Also a big thanks to [Martin Weinelt](https://github.com/mweinelt) for making +this work without rebuilding every single package on your computer. + +## How to apply +Clone this repository and add the path to `workaround-cve-2024-2961.nix` +to the `imports` attribute of your `configuration.nix`, like this: + +```nix +{ config, pkgs, ... }: { + + ... + + imports = [ + ... + /nixos-workaround-cve-2024-2961/workaround-cve-2024-2961.nix + ]; + + ... +} +``` + +## Caveats +Keep in mind that this workaround disables encoding conversion to/from the +ISO-2022-CN-EXT Chinese text encoding. If this is something you or your users +need, you cannot apply this workaround or things will break. diff --git a/remove-iso2022cnext.patch b/remove-iso2022cnext.patch new file mode 100644 index 0000000..e836429 --- /dev/null +++ b/remove-iso2022cnext.patch @@ -0,0 +1,15 @@ +--- glibc-2.38/iconvdata/gconv-modules-extra.conf 2024-04-23 12:30:47.040498260 +0200 ++++ glibc-2.38/iconvdata/gconv-modules-extra.conf 2024-04-23 12:31:27.148770494 +0200 +@@ -1251,9 +1251,9 @@ + module INTERNAL ISO-2022-CN// ISO-2022-CN 1 + + # from to module cost +-alias ISO2022CNEXT// ISO-2022-CN-EXT// +-module ISO-2022-CN-EXT// INTERNAL ISO-2022-CN-EXT 1 +-module INTERNAL ISO-2022-CN-EXT// ISO-2022-CN-EXT 1 ++# alias ISO2022CNEXT// ISO-2022-CN-EXT// ++# module ISO-2022-CN-EXT// INTERNAL ISO-2022-CN-EXT 1 ++# module INTERNAL ISO-2022-CN-EXT// ISO-2022-CN-EXT 1 + + # from to module cost + alias MAC// MACINTOSH// diff --git a/workaround-cve-2024-2961.nix b/workaround-cve-2024-2961.nix new file mode 100644 index 0000000..baccc47 --- /dev/null +++ b/workaround-cve-2024-2961.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: { + system.replaceRuntimeDependencies = [({ + original = pkgs.glibc; + replacement = pkgs.glibc.overrideAttrs (oldAttrs: { + patches = oldAttrs.patches ++ [ ./remove-iso2022cnext.patch ]; + }); + })]; +}