# Workaround for CVE-2024-2961 on NixOS This Nix snippet implements the workaround to CVE-2024-2961 as described by [the Rocky Linux team](https://rockylinux.org/news/glibc-vulnerability-april-2024/). Also a big thanks to [Martin Weinelt](https://github.com/mweinelt) for making this work without rebuilding every single package on your computer. ## How to apply Clone this repository and add the path to `workaround-cve-2024-2961.nix` to the `imports` attribute of your `configuration.nix`, like this: ```nix { config, pkgs, ... }: { ... imports = [ ... /nixos-workaround-cve-2024-2961/workaround-cve-2024-2961.nix ]; ... } ``` ## Caveats - Keep in mind that this workaround disables encoding conversion to/from the ISO-2022-CN-EXT Chinese text encoding. If this is something you or your users need, you cannot apply this workaround or things will break. - This will make your computer build `glibc` by itself, which, depending on your hardware, may take a long time. If your servers don't have a lot of computing resources, consider building the patched version of glibc on your local computer and then pushing its closure to your server. If you understand what I just said, you'll know what to do. - Be careful if you use Hydra to build your system environment. [As @sandro pointed out](https://c3d2.social/@sandro/112337941452150951), this may have unforeseen consequences. Thanks for the heads-up!