Initial commit

README.md

@@ -0,0 +1,28 @@
+# Workaround for CVE-2024-2961 on NixOS
+This Nix snippet implements the workaround to CVE-2024-2961 as described by
+[the Rocky Linux team](https://rockylinux.org/news/glibc-vulnerability-april-2024/).
+Also a big thanks to [Martin Weinelt](https://github.com/mweinelt) for making
+this work without rebuilding every single package on your computer.
+
+## How to apply
+Clone this repository and add the path to `workaround-cve-2024-2961.nix`
+to the `imports` attribute of your `configuration.nix`, like this:
+
+```nix
+{ config, pkgs, ... }: {
+
+  ...
+
+  imports = [
+    ...
+    <path-to-repo>/nixos-workaround-cve-2024-2961/workaround-cve-2024-2961.nix
+  ];
+
+  ...
+}
+```
+
+## Caveats
+Keep in mind that this workaround disables encoding conversion to/from the
+ISO-2022-CN-EXT Chinese text encoding. If this is something you or your users
+need, you cannot apply this workaround or things will break.

remove-iso2022cnext.patch

@@ -0,0 +1,15 @@
+--- glibc-2.38/iconvdata/gconv-modules-extra.conf	2024-04-23 12:30:47.040498260 +0200
++++ glibc-2.38/iconvdata/gconv-modules-extra.conf	2024-04-23 12:31:27.148770494 +0200
+@@ -1251,9 +1251,9 @@
+ module	INTERNAL		ISO-2022-CN//		ISO-2022-CN	1
+ 
+ #	from			to			module		cost
+-alias	ISO2022CNEXT//		ISO-2022-CN-EXT//
+-module	ISO-2022-CN-EXT//	INTERNAL		ISO-2022-CN-EXT	1
+-module	INTERNAL		ISO-2022-CN-EXT//	ISO-2022-CN-EXT	1
++# alias	ISO2022CNEXT//		ISO-2022-CN-EXT//
++# module	ISO-2022-CN-EXT//	INTERNAL		ISO-2022-CN-EXT	1
++# module	INTERNAL		ISO-2022-CN-EXT//	ISO-2022-CN-EXT	1
+ 
+ #	from			to			module		cost
+ alias	MAC//			MACINTOSH//

workaround-cve-2024-2961.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }: {
+  system.replaceRuntimeDependencies = [({
+    original = pkgs.glibc;
+    replacement = pkgs.glibc.overrideAttrs (oldAttrs: {
+      patches = oldAttrs.patches ++ [ ./remove-iso2022cnext.patch ];
+    });
+  })];
+}