Re: security/ghidra - replace log4j
On Tue, Dec 14, 2021 at 10:45:52AM +, Stuart Henderson wrote: > On 2021/12/14 00:12, Lawrence Teo wrote: > > The latest Ghidra release 10.1 has a fix for the log4j vulnerability; > > however, updating the port to that version is very complex and > > unfortunately I do not have enough time to work on it at the moment. > > > > As a workaround, this diff updates the log4j jar files in > > security/ghidra to 2.15.0. I was about to fetch the log4j jar files > > from https://logging.apache.org/log4j/2.x/download.html when I noticed > > sthen's net/unifi update which fetches them from spacehopper.org > > instead. This diff uses the latter approach. > > > > ok? > > Ah I switched unifi over to using the proper distfiles from apache.org > before I read your mail, the ones I mirrored came from a newer version of > unifi. You can use them if you like but I can't vouch for exactly what's > in them other than "ubiquiti thought they were OK" - hashes differ > into the upstream release (I didn't look further to what was changed > inbetween them). Thank you for your feedback. I decided to use the ones from apache.org as well (2.16.0). I have committed the fix. > > Index: Makefile > > === > > RCS file: /cvs/ports/security/ghidra/Makefile,v > > retrieving revision 1.8 > > diff -u -p -r1.8 Makefile > > --- Makefile19 Jul 2020 01:29:23 - 1.8 > > +++ Makefile14 Dec 2021 04:43:32 - > > @@ -7,6 +7,7 @@ COMMENT = software reverse engineering ( > > > > VERSION = 9.1.2 > > GHIDRA_DATE = 20200212 > > +REVISION = 0 > > > > GH_ACCOUNT = NationalSecurityAgency > > GH_PROJECT = ghidra > > @@ -27,6 +28,7 @@ WANTLIB +=c m ${COMPILER_LIBCXX} > > MASTER_SITES0 =${HOMEPAGE} > > MASTER_SITES1 = > > https://sourceforge.net/projects/yajsw/files/yajsw/yajsw-stable-${YAJSW_VER}/ > > MASTER_SITES2 =https://repo.maven.apache.org/maven2/ > > +MASTER_SITES3 =https://spacehopper.org/mirrors/ > > > > EXTRACT_SUFX = .zip > > > > @@ -37,6 +39,7 @@ JMOCKIT_VER = 1.44 > > JSON_SIMPLE_VER = 1.1.1 > > JUNIT_VER =4.12 > > YAJSW_VER =12.12 > > +LOG4J_VER =2.15.0 > > > > # Note that ST4-${ST4_VER}.jar is only needed during build for antlr; it > > is not > > # needed at runtime and therefore does not need to be packed. > > @@ -51,6 +54,8 @@ DISTFILES = ${DISTNAME}.tar.gz > > DISTFILES += > > ghidra_${VERSION}_PUBLIC_${GHIDRA_DATE}${EXTRACT_SUFX}:0 > > DISTFILES += yajsw-stable-${YAJSW_VER}${EXTRACT_SUFX}:1 > > DISTFILES += ${JAR_DISTFILES:C/$/:2/} > > +DISTFILES += log4j-api-${LOG4J_VER}.jar:3 > > +DISTFILES += log4j-core-${LOG4J_VER}.jar:3 > > > > EXTRACT_ONLY = ${DISTNAME}.tar.gz > > > > @@ -138,5 +143,10 @@ do-install: > > ln -s ${TRUEPREFIX}/share/java/ghidra/ghidraRun ${PREFIX}/bin/ghidraRun > > ${INSTALL_SCRIPT} > > ${WRKSRC}/Ghidra/RuntimeScripts/Linux/support/launch.sh \ > > ${PREFIX}/share/java/ghidra/support/launch.sh > > + rm -f > > ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-{api,core}-*.jar > > + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-api-${LOG4J_VER}.jar \ > > + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/ > > + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-core-${LOG4J_VER}.jar \ > > + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/ > > > > .include > > Index: distinfo > > === > > RCS file: /cvs/ports/security/ghidra/distinfo,v > > retrieving revision 1.4 > > diff -u -p -r1.4 distinfo > > --- distinfo19 Jul 2020 01:29:23 - 1.4 > > +++ distinfo14 Dec 2021 04:43:32 - > > @@ -6,6 +6,8 @@ SHA256 (javacc-5.0.jar) = cRExYbyM9mQVFV > > SHA256 (jmockit-1.44.jar) = GXSZN1EzMkhCbdusNwpgSUTt9mXBPUakxelz5N2PqUo= > > SHA256 (json-simple-1.1.1.jar) = > > TmlpaJK4i0HFXUmrL9zCHurZK/VKzFiMAFBZbDt1GZw= > > SHA256 (junit-4.12.jar) = WXIfCAXiI9hLkGd4h9n/Vn3FNNfFAsqQPAwrF/BcEWo= > > +SHA256 (log4j-api-2.15.0.jar) = > > yMM+fo4FSW2uac8MqsjDCSz/2TehZFJukpItLVZtClU= > > +SHA256 (log4j-core-2.15.0.jar) = > > QZqFEolZcbe09PM+Yg02ElTlyVUrkEsEdLCd3UpqIgs= > > SHA256 (yajsw-stable-12.12.zip) = > > E5j8sek6uxmZLE+gbX/ldYqrtMRXgdfvMGxvV8p6cyE= > > SIZE (ST4-4.1.jar) = 253043 > > SIZE (ghidra-9.1.2.tar.gz) = 59623429 > > @@ -15,4 +17,6 @@ SIZE (javacc-5.0.jar) = 298569 > > SIZE (jmockit-1.44.jar) = 757982 > > SIZE (json-simple-1.1.1.jar) = 23931 > > SIZE (junit-4.12.jar) = 314932 > > +SIZE (log4j-api-2.15.0.jar) = 301804 > > +SIZE (log4j-core-2.15.0.jar) = 1789769 > > SIZE (yajsw-stable-12.12.zip) = 25051676 > > Index: pkg/PLIST > > === > > RCS
Re: security/ghidra - replace log4j
On 2021/12/14 00:12, Lawrence Teo wrote: > The latest Ghidra release 10.1 has a fix for the log4j vulnerability; > however, updating the port to that version is very complex and > unfortunately I do not have enough time to work on it at the moment. > > As a workaround, this diff updates the log4j jar files in > security/ghidra to 2.15.0. I was about to fetch the log4j jar files > from https://logging.apache.org/log4j/2.x/download.html when I noticed > sthen's net/unifi update which fetches them from spacehopper.org > instead. This diff uses the latter approach. > > ok? Ah I switched unifi over to using the proper distfiles from apache.org before I read your mail, the ones I mirrored came from a newer version of unifi. You can use them if you like but I can't vouch for exactly what's in them other than "ubiquiti thought they were OK" - hashes differ into the upstream release (I didn't look further to what was changed inbetween them). > > Index: Makefile > === > RCS file: /cvs/ports/security/ghidra/Makefile,v > retrieving revision 1.8 > diff -u -p -r1.8 Makefile > --- Makefile 19 Jul 2020 01:29:23 - 1.8 > +++ Makefile 14 Dec 2021 04:43:32 - > @@ -7,6 +7,7 @@ COMMENT = software reverse engineering ( > > VERSION =9.1.2 > GHIDRA_DATE =20200212 > +REVISION = 0 > > GH_ACCOUNT = NationalSecurityAgency > GH_PROJECT = ghidra > @@ -27,6 +28,7 @@ WANTLIB += c m ${COMPILER_LIBCXX} > MASTER_SITES0 = ${HOMEPAGE} > MASTER_SITES1 = > https://sourceforge.net/projects/yajsw/files/yajsw/yajsw-stable-${YAJSW_VER}/ > MASTER_SITES2 = https://repo.maven.apache.org/maven2/ > +MASTER_SITES3 = https://spacehopper.org/mirrors/ > > EXTRACT_SUFX = .zip > > @@ -37,6 +39,7 @@ JMOCKIT_VER = 1.44 > JSON_SIMPLE_VER =1.1.1 > JUNIT_VER = 4.12 > YAJSW_VER = 12.12 > +LOG4J_VER = 2.15.0 > > # Note that ST4-${ST4_VER}.jar is only needed during build for antlr; it is > not > # needed at runtime and therefore does not need to be packed. > @@ -51,6 +54,8 @@ DISTFILES = ${DISTNAME}.tar.gz > DISTFILES += ghidra_${VERSION}_PUBLIC_${GHIDRA_DATE}${EXTRACT_SUFX}:0 > DISTFILES += yajsw-stable-${YAJSW_VER}${EXTRACT_SUFX}:1 > DISTFILES += ${JAR_DISTFILES:C/$/:2/} > +DISTFILES += log4j-api-${LOG4J_VER}.jar:3 > +DISTFILES += log4j-core-${LOG4J_VER}.jar:3 > > EXTRACT_ONLY = ${DISTNAME}.tar.gz > > @@ -138,5 +143,10 @@ do-install: > ln -s ${TRUEPREFIX}/share/java/ghidra/ghidraRun ${PREFIX}/bin/ghidraRun > ${INSTALL_SCRIPT} > ${WRKSRC}/Ghidra/RuntimeScripts/Linux/support/launch.sh \ > ${PREFIX}/share/java/ghidra/support/launch.sh > + rm -f > ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-{api,core}-*.jar > + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-api-${LOG4J_VER}.jar \ > + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/ > + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-core-${LOG4J_VER}.jar \ > + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/ > > .include > Index: distinfo > === > RCS file: /cvs/ports/security/ghidra/distinfo,v > retrieving revision 1.4 > diff -u -p -r1.4 distinfo > --- distinfo 19 Jul 2020 01:29:23 - 1.4 > +++ distinfo 14 Dec 2021 04:43:32 - > @@ -6,6 +6,8 @@ SHA256 (javacc-5.0.jar) = cRExYbyM9mQVFV > SHA256 (jmockit-1.44.jar) = GXSZN1EzMkhCbdusNwpgSUTt9mXBPUakxelz5N2PqUo= > SHA256 (json-simple-1.1.1.jar) = TmlpaJK4i0HFXUmrL9zCHurZK/VKzFiMAFBZbDt1GZw= > SHA256 (junit-4.12.jar) = WXIfCAXiI9hLkGd4h9n/Vn3FNNfFAsqQPAwrF/BcEWo= > +SHA256 (log4j-api-2.15.0.jar) = yMM+fo4FSW2uac8MqsjDCSz/2TehZFJukpItLVZtClU= > +SHA256 (log4j-core-2.15.0.jar) = QZqFEolZcbe09PM+Yg02ElTlyVUrkEsEdLCd3UpqIgs= > SHA256 (yajsw-stable-12.12.zip) = > E5j8sek6uxmZLE+gbX/ldYqrtMRXgdfvMGxvV8p6cyE= > SIZE (ST4-4.1.jar) = 253043 > SIZE (ghidra-9.1.2.tar.gz) = 59623429 > @@ -15,4 +17,6 @@ SIZE (javacc-5.0.jar) = 298569 > SIZE (jmockit-1.44.jar) = 757982 > SIZE (json-simple-1.1.1.jar) = 23931 > SIZE (junit-4.12.jar) = 314932 > +SIZE (log4j-api-2.15.0.jar) = 301804 > +SIZE (log4j-core-2.15.0.jar) = 1789769 > SIZE (yajsw-stable-12.12.zip) = 25051676 > Index: pkg/PLIST > === > RCS file: /cvs/ports/security/ghidra/pkg/PLIST,v > retrieving revision 1.4 > diff -u -p -r1.4 PLIST > --- pkg/PLIST 19 Jul 2020 01:29:23 - 1.4 > +++ pkg/PLIST 14 Dec 2021 04:43:34 - > @@ -2304,8 +2304,8 @@ share/java/ghidra/Ghidra/Framework/Gener > share/java/ghidra/Ghidra/Framework/Generic/lib/commons-lang3-3.9.jar > share/java/ghidra/Ghidra/Framework/Generic/lib/guava-19.0.jar >
security/ghidra - replace log4j
The latest Ghidra release 10.1 has a fix for the log4j vulnerability; however, updating the port to that version is very complex and unfortunately I do not have enough time to work on it at the moment. As a workaround, this diff updates the log4j jar files in security/ghidra to 2.15.0. I was about to fetch the log4j jar files from https://logging.apache.org/log4j/2.x/download.html when I noticed sthen's net/unifi update which fetches them from spacehopper.org instead. This diff uses the latter approach. ok? Index: Makefile === RCS file: /cvs/ports/security/ghidra/Makefile,v retrieving revision 1.8 diff -u -p -r1.8 Makefile --- Makefile19 Jul 2020 01:29:23 - 1.8 +++ Makefile14 Dec 2021 04:43:32 - @@ -7,6 +7,7 @@ COMMENT = software reverse engineering ( VERSION = 9.1.2 GHIDRA_DATE = 20200212 +REVISION = 0 GH_ACCOUNT = NationalSecurityAgency GH_PROJECT = ghidra @@ -27,6 +28,7 @@ WANTLIB +=c m ${COMPILER_LIBCXX} MASTER_SITES0 =${HOMEPAGE} MASTER_SITES1 = https://sourceforge.net/projects/yajsw/files/yajsw/yajsw-stable-${YAJSW_VER}/ MASTER_SITES2 =https://repo.maven.apache.org/maven2/ +MASTER_SITES3 =https://spacehopper.org/mirrors/ EXTRACT_SUFX = .zip @@ -37,6 +39,7 @@ JMOCKIT_VER = 1.44 JSON_SIMPLE_VER = 1.1.1 JUNIT_VER =4.12 YAJSW_VER =12.12 +LOG4J_VER =2.15.0 # Note that ST4-${ST4_VER}.jar is only needed during build for antlr; it is not # needed at runtime and therefore does not need to be packed. @@ -51,6 +54,8 @@ DISTFILES = ${DISTNAME}.tar.gz DISTFILES += ghidra_${VERSION}_PUBLIC_${GHIDRA_DATE}${EXTRACT_SUFX}:0 DISTFILES += yajsw-stable-${YAJSW_VER}${EXTRACT_SUFX}:1 DISTFILES += ${JAR_DISTFILES:C/$/:2/} +DISTFILES += log4j-api-${LOG4J_VER}.jar:3 +DISTFILES += log4j-core-${LOG4J_VER}.jar:3 EXTRACT_ONLY = ${DISTNAME}.tar.gz @@ -138,5 +143,10 @@ do-install: ln -s ${TRUEPREFIX}/share/java/ghidra/ghidraRun ${PREFIX}/bin/ghidraRun ${INSTALL_SCRIPT} ${WRKSRC}/Ghidra/RuntimeScripts/Linux/support/launch.sh \ ${PREFIX}/share/java/ghidra/support/launch.sh + rm -f ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-{api,core}-*.jar + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-api-${LOG4J_VER}.jar \ + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/ + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-core-${LOG4J_VER}.jar \ + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/ .include Index: distinfo === RCS file: /cvs/ports/security/ghidra/distinfo,v retrieving revision 1.4 diff -u -p -r1.4 distinfo --- distinfo19 Jul 2020 01:29:23 - 1.4 +++ distinfo14 Dec 2021 04:43:32 - @@ -6,6 +6,8 @@ SHA256 (javacc-5.0.jar) = cRExYbyM9mQVFV SHA256 (jmockit-1.44.jar) = GXSZN1EzMkhCbdusNwpgSUTt9mXBPUakxelz5N2PqUo= SHA256 (json-simple-1.1.1.jar) = TmlpaJK4i0HFXUmrL9zCHurZK/VKzFiMAFBZbDt1GZw= SHA256 (junit-4.12.jar) = WXIfCAXiI9hLkGd4h9n/Vn3FNNfFAsqQPAwrF/BcEWo= +SHA256 (log4j-api-2.15.0.jar) = yMM+fo4FSW2uac8MqsjDCSz/2TehZFJukpItLVZtClU= +SHA256 (log4j-core-2.15.0.jar) = QZqFEolZcbe09PM+Yg02ElTlyVUrkEsEdLCd3UpqIgs= SHA256 (yajsw-stable-12.12.zip) = E5j8sek6uxmZLE+gbX/ldYqrtMRXgdfvMGxvV8p6cyE= SIZE (ST4-4.1.jar) = 253043 SIZE (ghidra-9.1.2.tar.gz) = 59623429 @@ -15,4 +17,6 @@ SIZE (javacc-5.0.jar) = 298569 SIZE (jmockit-1.44.jar) = 757982 SIZE (json-simple-1.1.1.jar) = 23931 SIZE (junit-4.12.jar) = 314932 +SIZE (log4j-api-2.15.0.jar) = 301804 +SIZE (log4j-core-2.15.0.jar) = 1789769 SIZE (yajsw-stable-12.12.zip) = 25051676 Index: pkg/PLIST === RCS file: /cvs/ports/security/ghidra/pkg/PLIST,v retrieving revision 1.4 diff -u -p -r1.4 PLIST --- pkg/PLIST 19 Jul 2020 01:29:23 - 1.4 +++ pkg/PLIST 14 Dec 2021 04:43:34 - @@ -2304,8 +2304,8 @@ share/java/ghidra/Ghidra/Framework/Gener share/java/ghidra/Ghidra/Framework/Generic/lib/commons-lang3-3.9.jar share/java/ghidra/Ghidra/Framework/Generic/lib/guava-19.0.jar share/java/ghidra/Ghidra/Framework/Generic/lib/jdom-legacy-1.1.3.jar -share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-api-2.8.2.jar -share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-core-2.8.2.jar +share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-api-2.15.0.jar +share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-core-2.15.0.jar share/java/ghidra/Ghidra/Framework/Graph/ share/java/ghidra/Ghidra/Framework/Graph/LICENSE.txt share/java/ghidra/Ghidra/Framework/Graph/Module.manifest