37 lines
1.4 KiB
Markdown
37 lines
1.4 KiB
Markdown
# Workaround for CVE-2024-2961 on NixOS
|
|
This Nix snippet implements the workaround to CVE-2024-2961 as described by
|
|
[the Rocky Linux team](https://rockylinux.org/news/glibc-vulnerability-april-2024/).
|
|
Also a big thanks to [Martin Weinelt](https://github.com/mweinelt) for making
|
|
this work without rebuilding every single package on your computer.
|
|
|
|
## How to apply
|
|
Clone this repository and add the path to `workaround-cve-2024-2961.nix`
|
|
to the `imports` attribute of your `configuration.nix`, like this:
|
|
|
|
```nix
|
|
{ config, pkgs, ... }: {
|
|
|
|
...
|
|
|
|
imports = [
|
|
...
|
|
<path-to-repo>/nixos-workaround-cve-2024-2961/workaround-cve-2024-2961.nix
|
|
];
|
|
|
|
...
|
|
}
|
|
```
|
|
|
|
## Caveats
|
|
- Keep in mind that this workaround disables encoding conversion to/from the
|
|
ISO-2022-CN-EXT Chinese text encoding. If this is something you or your users
|
|
need, you cannot apply this workaround or things will break.
|
|
- This will make your computer build `glibc` by itself, which, depending on
|
|
your hardware, may take a long time. If your servers don't have a lot of
|
|
computing resources, consider building the patched version of glibc on your
|
|
local computer and then pushing its closure to your server. If you understand
|
|
what I just said, you'll know what to do.
|
|
- Be careful if you use Hydra to build your system environment.
|
|
[As @sandro pointed out](https://c3d2.social/@sandro/112337941452150951),
|
|
this may have unforeseen consequences. Thanks for the heads-up!
|