Merge pull request 'issues/CVE-2024-2961.md: Add a mitigation' (#31) …

…from solardiz-patch-29 into main Reviewed-on: https://git.resf.org/security/wiki/pulls/31 Reviewed-by: Neil Hanlon <neil@[email protected]>
rocky-linux · Apr 23, 2024 · 41e67d4 · 41e67d4
2 parents ea9aee0 + 51bbca3
commit 41e67d4
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 3 deletions.
diff --git a/docs/issues/CVE-2024-2961.md b/docs/issues/CVE-2024-2961.md
@@ -23,3 +23,24 @@ Fixed in version: `2.34-83.12.el9_3.security.0.5` available April 18, 2024
 ## EL8
 
 Affected. We will of course rebuild upstream's fix as soon as it arrives.
+
+## Mitigation
+
+Support for the ISO-2022-CN-EXT character set can be excluded from glibc's iconv(3) by editing `/usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf` to comment out the below 3 lines at line 1254 (same line number in EL9 and EL8) and then regenerating the cache file:
+
+```
+alias  ISO2022CNEXT//          ISO-2022-CN-EXT//
+module ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
+module INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
+```
+
+These two steps can be accomplished by running the below commands as root:
+
+```
+sed -i -r 's/^(.*ISO-2022-CN-EXT.*)$/#\1/' /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf
+iconvconfig
+```
+
+To make sure this has worked as intended, we also recommend that you run `iconv -l | grep ISO-2022-CN-EXT` before and after the above procedure. It should list the ISO-2022-CN-EXT character set before the procedure, but produce empty output afterwards.
+
+Finally, if you have long-running processes for which the bug matters (such as PHP-FPM), you'll need to restart those.
diff --git a/docs/news.md b/docs/news.md
@@ -2,10 +2,10 @@
 
 These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
 
-## April 18, 2024
+## April 18-23, 2024
 
-Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md),
-which we now have a status page on.
+Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md).
+On that CVE status page, we also provide a mitigation for both EL9 and EL8.
 
 The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL8 fix and errata, suggest disabling network namespaces, explain remaining risks with LKRG.