README.md | ||
remove-iso2022cnext.patch | ||
workaround-cve-2024-2961.nix |
Workaround for CVE-2024-2961 on NixOS
This Nix snippet implements the workaround to CVE-2024-2961 as described by the Rocky Linux team. Also a big thanks to Martin Weinelt for making this work without rebuilding every single package on your computer.
How to apply
Clone this repository and add the path to workaround-cve-2024-2961.nix
to the imports
attribute of your configuration.nix
, like this:
{ config, pkgs, ... }: {
...
imports = [
...
<path-to-repo>/nixos-workaround-cve-2024-2961/workaround-cve-2024-2961.nix
];
...
}
Caveats
- Keep in mind that this workaround disables encoding conversion to/from the ISO-2022-CN-EXT Chinese text encoding. If this is something you or your users need, you cannot apply this workaround or things will break.
- This will make your computer build
glibc
by itself, which, depending on your hardware, may take a long time. If your servers don't have a lot of computing resources, consider building the patched version of glibc on your local computer and then pushing its closure to your server. If you understand what I just said, you'll know what to do. - Be careful if you use Hydra to build your system environment. As @sandro pointed out, this may have unforeseen consequences. Thanks for the heads-up!