Re: security/ghidra - replace log4j
On Tue, Dec 14, 2021 at 10:45:52AM +, Stuart Henderson wrote:
> On 2021/12/14 00:12, Lawrence Teo wrote:
> > The latest Ghidra release 10.1 has a fix for the log4j vulnerability;
> > however, updating the port to that version is very complex and
> > unfortunately I do not have enough time to work on it at the moment.
> >
> > As a workaround, this diff updates the log4j jar files in
> > security/ghidra to 2.15.0. I was about to fetch the log4j jar files
> > from https://logging.apache.org/log4j/2.x/download.html when I noticed
> > sthen's net/unifi update which fetches them from spacehopper.org
> > instead. This diff uses the latter approach.
> >
> > ok?
>
> Ah I switched unifi over to using the proper distfiles from apache.org
> before I read your mail, the ones I mirrored came from a newer version of
> unifi. You can use them if you like but I can't vouch for exactly what's
> in them other than "ubiquiti thought they were OK" - hashes differ
> into the upstream release (I didn't look further to what was changed
> inbetween them).
Thank you for your feedback. I decided to use the ones from apache.org
as well (2.16.0). I have committed the fix.
> > Index: Makefile
> > ===
> > RCS file: /cvs/ports/security/ghidra/Makefile,v
> > retrieving revision 1.8
> > diff -u -p -r1.8 Makefile
> > --- Makefile19 Jul 2020 01:29:23 - 1.8
> > +++ Makefile14 Dec 2021 04:43:32 -
> > @@ -7,6 +7,7 @@ COMMENT = software reverse engineering (
> >
> > VERSION = 9.1.2
> > GHIDRA_DATE = 20200212
> > +REVISION = 0
> >
> > GH_ACCOUNT = NationalSecurityAgency
> > GH_PROJECT = ghidra
> > @@ -27,6 +28,7 @@ WANTLIB +=c m ${COMPILER_LIBCXX}
> > MASTER_SITES0 =${HOMEPAGE}
> > MASTER_SITES1 =
> > https://sourceforge.net/projects/yajsw/files/yajsw/yajsw-stable-${YAJSW_VER}/
> > MASTER_SITES2 =https://repo.maven.apache.org/maven2/
> > +MASTER_SITES3 =https://spacehopper.org/mirrors/
> >
> > EXTRACT_SUFX = .zip
> >
> > @@ -37,6 +39,7 @@ JMOCKIT_VER = 1.44
> > JSON_SIMPLE_VER = 1.1.1
> > JUNIT_VER =4.12
> > YAJSW_VER =12.12
> > +LOG4J_VER =2.15.0
> >
> > # Note that ST4-${ST4_VER}.jar is only needed during build for antlr; it
> > is not
> > # needed at runtime and therefore does not need to be packed.
> > @@ -51,6 +54,8 @@ DISTFILES = ${DISTNAME}.tar.gz
> > DISTFILES +=
> > ghidra_${VERSION}_PUBLIC_${GHIDRA_DATE}${EXTRACT_SUFX}:0
> > DISTFILES += yajsw-stable-${YAJSW_VER}${EXTRACT_SUFX}:1
> > DISTFILES += ${JAR_DISTFILES:C/$/:2/}
> > +DISTFILES += log4j-api-${LOG4J_VER}.jar:3
> > +DISTFILES += log4j-core-${LOG4J_VER}.jar:3
> >
> > EXTRACT_ONLY = ${DISTNAME}.tar.gz
> >
> > @@ -138,5 +143,10 @@ do-install:
> > ln -s ${TRUEPREFIX}/share/java/ghidra/ghidraRun ${PREFIX}/bin/ghidraRun
> > ${INSTALL_SCRIPT}
> > ${WRKSRC}/Ghidra/RuntimeScripts/Linux/support/launch.sh \
> > ${PREFIX}/share/java/ghidra/support/launch.sh
> > + rm -f
> > ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-{api,core}-*.jar
> > + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-api-${LOG4J_VER}.jar \
> > + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/
> > + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-core-${LOG4J_VER}.jar \
> > + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/
> >
> > .include
> > Index: distinfo
> > ===
> > RCS file: /cvs/ports/security/ghidra/distinfo,v
> > retrieving revision 1.4
> > diff -u -p -r1.4 distinfo
> > --- distinfo19 Jul 2020 01:29:23 - 1.4
> > +++ distinfo14 Dec 2021 04:43:32 -
> > @@ -6,6 +6,8 @@ SHA256 (javacc-5.0.jar) = cRExYbyM9mQVFV
> > SHA256 (jmockit-1.44.jar) = GXSZN1EzMkhCbdusNwpgSUTt9mXBPUakxelz5N2PqUo=
> > SHA256 (json-simple-1.1.1.jar) =
> > TmlpaJK4i0HFXUmrL9zCHurZK/VKzFiMAFBZbDt1GZw=
> > SHA256 (junit-4.12.jar) = WXIfCAXiI9hLkGd4h9n/Vn3FNNfFAsqQPAwrF/BcEWo=
> > +SHA256 (log4j-api-2.15.0.jar) =
> > yMM+fo4FSW2uac8MqsjDCSz/2TehZFJukpItLVZtClU=
> > +SHA256 (log4j-core-2.15.0.jar) =
> > QZqFEolZcbe09PM+Yg02ElTlyVUrkEsEdLCd3UpqIgs=
> > SHA256 (yajsw-stable-12.12.zip) =
> > E5j8sek6uxmZLE+gbX/ldYqrtMRXgdfvMGxvV8p6cyE=
> > SIZE (ST4-4.1.jar) = 253043
> > SIZE (ghidra-9.1.2.tar.gz) = 59623429
> > @@ -15,4 +17,6 @@ SIZE (javacc-5.0.jar) = 298569
> > SIZE (jmockit-1.44.jar) = 757982
> > SIZE (json-simple-1.1.1.jar) = 23931
> > SIZE (junit-4.12.jar) = 314932
> > +SIZE (log4j-api-2.15.0.jar) = 301804
> > +SIZE (log4j-core-2.15.0.jar) = 1789769
> > SIZE (yajsw-stable-12.12.zip) = 25051676
> > Index: pkg/PLIST
> > ===
> > RCS
Re: security/ghidra - replace log4j
On 2021/12/14 00:12, Lawrence Teo wrote:
> The latest Ghidra release 10.1 has a fix for the log4j vulnerability;
> however, updating the port to that version is very complex and
> unfortunately I do not have enough time to work on it at the moment.
>
> As a workaround, this diff updates the log4j jar files in
> security/ghidra to 2.15.0. I was about to fetch the log4j jar files
> from https://logging.apache.org/log4j/2.x/download.html when I noticed
> sthen's net/unifi update which fetches them from spacehopper.org
> instead. This diff uses the latter approach.
>
> ok?
Ah I switched unifi over to using the proper distfiles from apache.org
before I read your mail, the ones I mirrored came from a newer version of
unifi. You can use them if you like but I can't vouch for exactly what's
in them other than "ubiquiti thought they were OK" - hashes differ
into the upstream release (I didn't look further to what was changed
inbetween them).
>
> Index: Makefile
> ===
> RCS file: /cvs/ports/security/ghidra/Makefile,v
> retrieving revision 1.8
> diff -u -p -r1.8 Makefile
> --- Makefile 19 Jul 2020 01:29:23 - 1.8
> +++ Makefile 14 Dec 2021 04:43:32 -
> @@ -7,6 +7,7 @@ COMMENT = software reverse engineering (
>
> VERSION =9.1.2
> GHIDRA_DATE =20200212
> +REVISION = 0
>
> GH_ACCOUNT = NationalSecurityAgency
> GH_PROJECT = ghidra
> @@ -27,6 +28,7 @@ WANTLIB += c m ${COMPILER_LIBCXX}
> MASTER_SITES0 = ${HOMEPAGE}
> MASTER_SITES1 =
> https://sourceforge.net/projects/yajsw/files/yajsw/yajsw-stable-${YAJSW_VER}/
> MASTER_SITES2 = https://repo.maven.apache.org/maven2/
> +MASTER_SITES3 = https://spacehopper.org/mirrors/
>
> EXTRACT_SUFX = .zip
>
> @@ -37,6 +39,7 @@ JMOCKIT_VER = 1.44
> JSON_SIMPLE_VER =1.1.1
> JUNIT_VER = 4.12
> YAJSW_VER = 12.12
> +LOG4J_VER = 2.15.0
>
> # Note that ST4-${ST4_VER}.jar is only needed during build for antlr; it is
> not
> # needed at runtime and therefore does not need to be packed.
> @@ -51,6 +54,8 @@ DISTFILES = ${DISTNAME}.tar.gz
> DISTFILES += ghidra_${VERSION}_PUBLIC_${GHIDRA_DATE}${EXTRACT_SUFX}:0
> DISTFILES += yajsw-stable-${YAJSW_VER}${EXTRACT_SUFX}:1
> DISTFILES += ${JAR_DISTFILES:C/$/:2/}
> +DISTFILES += log4j-api-${LOG4J_VER}.jar:3
> +DISTFILES += log4j-core-${LOG4J_VER}.jar:3
>
> EXTRACT_ONLY = ${DISTNAME}.tar.gz
>
> @@ -138,5 +143,10 @@ do-install:
> ln -s ${TRUEPREFIX}/share/java/ghidra/ghidraRun ${PREFIX}/bin/ghidraRun
> ${INSTALL_SCRIPT}
> ${WRKSRC}/Ghidra/RuntimeScripts/Linux/support/launch.sh \
> ${PREFIX}/share/java/ghidra/support/launch.sh
> + rm -f
> ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-{api,core}-*.jar
> + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-api-${LOG4J_VER}.jar \
> + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/
> + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-core-${LOG4J_VER}.jar \
> + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/
>
> .include
> Index: distinfo
> ===
> RCS file: /cvs/ports/security/ghidra/distinfo,v
> retrieving revision 1.4
> diff -u -p -r1.4 distinfo
> --- distinfo 19 Jul 2020 01:29:23 - 1.4
> +++ distinfo 14 Dec 2021 04:43:32 -
> @@ -6,6 +6,8 @@ SHA256 (javacc-5.0.jar) = cRExYbyM9mQVFV
> SHA256 (jmockit-1.44.jar) = GXSZN1EzMkhCbdusNwpgSUTt9mXBPUakxelz5N2PqUo=
> SHA256 (json-simple-1.1.1.jar) = TmlpaJK4i0HFXUmrL9zCHurZK/VKzFiMAFBZbDt1GZw=
> SHA256 (junit-4.12.jar) = WXIfCAXiI9hLkGd4h9n/Vn3FNNfFAsqQPAwrF/BcEWo=
> +SHA256 (log4j-api-2.15.0.jar) = yMM+fo4FSW2uac8MqsjDCSz/2TehZFJukpItLVZtClU=
> +SHA256 (log4j-core-2.15.0.jar) = QZqFEolZcbe09PM+Yg02ElTlyVUrkEsEdLCd3UpqIgs=
> SHA256 (yajsw-stable-12.12.zip) =
> E5j8sek6uxmZLE+gbX/ldYqrtMRXgdfvMGxvV8p6cyE=
> SIZE (ST4-4.1.jar) = 253043
> SIZE (ghidra-9.1.2.tar.gz) = 59623429
> @@ -15,4 +17,6 @@ SIZE (javacc-5.0.jar) = 298569
> SIZE (jmockit-1.44.jar) = 757982
> SIZE (json-simple-1.1.1.jar) = 23931
> SIZE (junit-4.12.jar) = 314932
> +SIZE (log4j-api-2.15.0.jar) = 301804
> +SIZE (log4j-core-2.15.0.jar) = 1789769
> SIZE (yajsw-stable-12.12.zip) = 25051676
> Index: pkg/PLIST
> ===
> RCS file: /cvs/ports/security/ghidra/pkg/PLIST,v
> retrieving revision 1.4
> diff -u -p -r1.4 PLIST
> --- pkg/PLIST 19 Jul 2020 01:29:23 - 1.4
> +++ pkg/PLIST 14 Dec 2021 04:43:34 -
> @@ -2304,8 +2304,8 @@ share/java/ghidra/Ghidra/Framework/Gener
> share/java/ghidra/Ghidra/Framework/Generic/lib/commons-lang3-3.9.jar
> share/java/ghidra/Ghidra/Framework/Generic/lib/guava-19.0.jar
>
security/ghidra - replace log4j
The latest Ghidra release 10.1 has a fix for the log4j vulnerability;
however, updating the port to that version is very complex and
unfortunately I do not have enough time to work on it at the moment.
As a workaround, this diff updates the log4j jar files in
security/ghidra to 2.15.0. I was about to fetch the log4j jar files
from https://logging.apache.org/log4j/2.x/download.html when I noticed
sthen's net/unifi update which fetches them from spacehopper.org
instead. This diff uses the latter approach.
ok?
Index: Makefile
===
RCS file: /cvs/ports/security/ghidra/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile19 Jul 2020 01:29:23 - 1.8
+++ Makefile14 Dec 2021 04:43:32 -
@@ -7,6 +7,7 @@ COMMENT = software reverse engineering (
VERSION = 9.1.2
GHIDRA_DATE = 20200212
+REVISION = 0
GH_ACCOUNT = NationalSecurityAgency
GH_PROJECT = ghidra
@@ -27,6 +28,7 @@ WANTLIB +=c m ${COMPILER_LIBCXX}
MASTER_SITES0 =${HOMEPAGE}
MASTER_SITES1 =
https://sourceforge.net/projects/yajsw/files/yajsw/yajsw-stable-${YAJSW_VER}/
MASTER_SITES2 =https://repo.maven.apache.org/maven2/
+MASTER_SITES3 =https://spacehopper.org/mirrors/
EXTRACT_SUFX = .zip
@@ -37,6 +39,7 @@ JMOCKIT_VER = 1.44
JSON_SIMPLE_VER = 1.1.1
JUNIT_VER =4.12
YAJSW_VER =12.12
+LOG4J_VER =2.15.0
# Note that ST4-${ST4_VER}.jar is only needed during build for antlr; it is not
# needed at runtime and therefore does not need to be packed.
@@ -51,6 +54,8 @@ DISTFILES = ${DISTNAME}.tar.gz
DISTFILES += ghidra_${VERSION}_PUBLIC_${GHIDRA_DATE}${EXTRACT_SUFX}:0
DISTFILES += yajsw-stable-${YAJSW_VER}${EXTRACT_SUFX}:1
DISTFILES += ${JAR_DISTFILES:C/$/:2/}
+DISTFILES += log4j-api-${LOG4J_VER}.jar:3
+DISTFILES += log4j-core-${LOG4J_VER}.jar:3
EXTRACT_ONLY = ${DISTNAME}.tar.gz
@@ -138,5 +143,10 @@ do-install:
ln -s ${TRUEPREFIX}/share/java/ghidra/ghidraRun ${PREFIX}/bin/ghidraRun
${INSTALL_SCRIPT}
${WRKSRC}/Ghidra/RuntimeScripts/Linux/support/launch.sh \
${PREFIX}/share/java/ghidra/support/launch.sh
+ rm -f
${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-{api,core}-*.jar
+ ${INSTALL_DATA} ${FULLDISTDIR}/log4j-api-${LOG4J_VER}.jar \
+ ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/
+ ${INSTALL_DATA} ${FULLDISTDIR}/log4j-core-${LOG4J_VER}.jar \
+ ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/
.include
Index: distinfo
===
RCS file: /cvs/ports/security/ghidra/distinfo,v
retrieving revision 1.4
diff -u -p -r1.4 distinfo
--- distinfo19 Jul 2020 01:29:23 - 1.4
+++ distinfo14 Dec 2021 04:43:32 -
@@ -6,6 +6,8 @@ SHA256 (javacc-5.0.jar) = cRExYbyM9mQVFV
SHA256 (jmockit-1.44.jar) = GXSZN1EzMkhCbdusNwpgSUTt9mXBPUakxelz5N2PqUo=
SHA256 (json-simple-1.1.1.jar) = TmlpaJK4i0HFXUmrL9zCHurZK/VKzFiMAFBZbDt1GZw=
SHA256 (junit-4.12.jar) = WXIfCAXiI9hLkGd4h9n/Vn3FNNfFAsqQPAwrF/BcEWo=
+SHA256 (log4j-api-2.15.0.jar) = yMM+fo4FSW2uac8MqsjDCSz/2TehZFJukpItLVZtClU=
+SHA256 (log4j-core-2.15.0.jar) = QZqFEolZcbe09PM+Yg02ElTlyVUrkEsEdLCd3UpqIgs=
SHA256 (yajsw-stable-12.12.zip) = E5j8sek6uxmZLE+gbX/ldYqrtMRXgdfvMGxvV8p6cyE=
SIZE (ST4-4.1.jar) = 253043
SIZE (ghidra-9.1.2.tar.gz) = 59623429
@@ -15,4 +17,6 @@ SIZE (javacc-5.0.jar) = 298569
SIZE (jmockit-1.44.jar) = 757982
SIZE (json-simple-1.1.1.jar) = 23931
SIZE (junit-4.12.jar) = 314932
+SIZE (log4j-api-2.15.0.jar) = 301804
+SIZE (log4j-core-2.15.0.jar) = 1789769
SIZE (yajsw-stable-12.12.zip) = 25051676
Index: pkg/PLIST
===
RCS file: /cvs/ports/security/ghidra/pkg/PLIST,v
retrieving revision 1.4
diff -u -p -r1.4 PLIST
--- pkg/PLIST 19 Jul 2020 01:29:23 - 1.4
+++ pkg/PLIST 14 Dec 2021 04:43:34 -
@@ -2304,8 +2304,8 @@ share/java/ghidra/Ghidra/Framework/Gener
share/java/ghidra/Ghidra/Framework/Generic/lib/commons-lang3-3.9.jar
share/java/ghidra/Ghidra/Framework/Generic/lib/guava-19.0.jar
share/java/ghidra/Ghidra/Framework/Generic/lib/jdom-legacy-1.1.3.jar
-share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-api-2.8.2.jar
-share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-core-2.8.2.jar
+share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-api-2.15.0.jar
+share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-core-2.15.0.jar
share/java/ghidra/Ghidra/Framework/Graph/
share/java/ghidra/Ghidra/Framework/Graph/LICENSE.txt
share/java/ghidra/Ghidra/Framework/Graph/Module.manifest
