Update cve post
Some checks reported errors
continuous-integration/drone/push Build was killed
continuous-integration/drone/promote/production Build is passing

This commit is contained in:
Garrett Mills 2024-04-25 20:44:20 -05:00
parent 402ab60e0e
commit a8a478970e

View File

@ -81,7 +81,7 @@ Disable the offending encodings in the `gconv-modules` config file. This will ei
```shell
cd gconv-modules.d
cat gconv-modules-extra.conf | grep -v -E 'CN-?EXT' > gconv-modules-extra-patched.conf
rm gconv-modules-extra.conf
mv gconv-modules-extra-patched.conf gconv-modules-extra.conf
cd ..
```
@ -109,10 +109,12 @@ For those using Docker images, here's a convenient `Dockerfile` blurb:
# Disable vulnerable iconv encodings (CVE-2024-2961)
RUN cd /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.d \
&& cat gconv-modules-extra.conf | grep -v -E 'CN-?EXT' > gconv-modules-extra-patched.conf \
&& rm -f gconv-modules-extra.conf ../gconv-modules.cache \
&& mv gconv-modules-extra-patched.conf gconv-modules-extra.conf \
&& rm -f ../gconv-modules.cache \
&& iconvconfig \
&& iconv -l | grep -E 'CN-?EXT' && exit 1 || true
```
That last line contains one of my favorite Dockerfile tricks (`check-something && exit 1 || true`) -- your Docker build will fail if the vulnerable charsets are enabled.
> A previous version of this post kept `gconv-modules-extra-patched.conf`. Thanks to Anonymous for pointing out that a subsequent RPM update could re-introduce the file.