This repository has been archived on 2024-05-20. You can view files and clone it, but cannot push or open issues or pull requests.
nixos-workaround-cve-2024-2961/README.md

37 lines
1.4 KiB
Markdown

# Workaround for CVE-2024-2961 on NixOS
This Nix snippet implements the workaround to CVE-2024-2961 as described by
[the Rocky Linux team](https://rockylinux.org/news/glibc-vulnerability-april-2024/).
Also a big thanks to [Martin Weinelt](https://github.com/mweinelt) for making
this work without rebuilding every single package on your computer.
## How to apply
Clone this repository and add the path to `workaround-cve-2024-2961.nix`
to the `imports` attribute of your `configuration.nix`, like this:
```nix
{ config, pkgs, ... }: {
...
imports = [
...
<path-to-repo>/nixos-workaround-cve-2024-2961/workaround-cve-2024-2961.nix
];
...
}
```
## Caveats
- Keep in mind that this workaround disables encoding conversion to/from the
ISO-2022-CN-EXT Chinese text encoding. If this is something you or your users
need, you cannot apply this workaround or things will break.
- This will make your computer build `glibc` by itself, which, depending on
your hardware, may take a long time. If your servers don't have a lot of
computing resources, consider building the patched version of glibc on your
local computer and then pushing its closure to your server. If you understand
what I just said, you'll know what to do.
- Be careful if you use Hydra to build your system environment.
[As @sandro pointed out](https://c3d2.social/@sandro/112337941452150951),
this may have unforeseen consequences. Thanks for the heads-up!