On 2021/12/14 00:12, Lawrence Teo wrote:
> The latest Ghidra release 10.1 has a fix for the log4j vulnerability;
> however, updating the port to that version is very complex and
> unfortunately I do not have enough time to work on it at the moment.
>
> As a workaround, this diff updates the log4j jar files in
> security/ghidra to 2.15.0. I was about to fetch the log4j jar files
> from https://logging.apache.org/log4j/2.x/download.html when I noticed
> sthen's net/unifi update which fetches them from spacehopper.org
> instead. This diff uses the latter approach.
>
> ok?
Ah I switched unifi over to using the proper distfiles from apache.org
before I read your mail, the ones I mirrored came from a newer version of
unifi. You can use them if you like but I can't vouch for exactly what's
in them other than "ubiquiti thought they were OK" - hashes differ
into the upstream release (I didn't look further to what was changed
inbetween them).
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/ghidra/Makefile,v
> retrieving revision 1.8
> diff -u -p -r1.8 Makefile
> --- Makefile 19 Jul 2020 01:29:23 -0000 1.8
> +++ Makefile 14 Dec 2021 04:43:32 -0000
> @@ -7,6 +7,7 @@ COMMENT = software reverse engineering (
>
> VERSION = 9.1.2
> GHIDRA_DATE = 20200212
> +REVISION = 0
>
> GH_ACCOUNT = NationalSecurityAgency
> GH_PROJECT = ghidra
> @@ -27,6 +28,7 @@ WANTLIB += c m ${COMPILER_LIBCXX}
> MASTER_SITES0 = ${HOMEPAGE}
> MASTER_SITES1 =
> https://sourceforge.net/projects/yajsw/files/yajsw/yajsw-stable-${YAJSW_VER}/
> MASTER_SITES2 = https://repo.maven.apache.org/maven2/
> +MASTER_SITES3 = https://spacehopper.org/mirrors/
>
> EXTRACT_SUFX = .zip
>
> @@ -37,6 +39,7 @@ JMOCKIT_VER = 1.44
> JSON_SIMPLE_VER = 1.1.1
> JUNIT_VER = 4.12
> YAJSW_VER = 12.12
> +LOG4J_VER = 2.15.0
>
> # Note that ST4-${ST4_VER}.jar is only needed during build for antlr; it is
> not
> # needed at runtime and therefore does not need to be packed.
> @@ -51,6 +54,8 @@ DISTFILES = ${DISTNAME}.tar.gz
> DISTFILES += ghidra_${VERSION}_PUBLIC_${GHIDRA_DATE}${EXTRACT_SUFX}:0
> DISTFILES += yajsw-stable-${YAJSW_VER}${EXTRACT_SUFX}:1
> DISTFILES += ${JAR_DISTFILES:C/$/:2/}
> +DISTFILES += log4j-api-${LOG4J_VER}.jar:3
> +DISTFILES += log4j-core-${LOG4J_VER}.jar:3
>
> EXTRACT_ONLY = ${DISTNAME}.tar.gz
>
> @@ -138,5 +143,10 @@ do-install:
> ln -s ${TRUEPREFIX}/share/java/ghidra/ghidraRun ${PREFIX}/bin/ghidraRun
> ${INSTALL_SCRIPT}
> ${WRKSRC}/Ghidra/RuntimeScripts/Linux/support/launch.sh \
> ${PREFIX}/share/java/ghidra/support/launch.sh
> + rm -f
> ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-{api,core}-*.jar
> + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-api-${LOG4J_VER}.jar \
> + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/
> + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-core-${LOG4J_VER}.jar \
> + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/
>
> .include <bsd.port.mk>
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/security/ghidra/distinfo,v
> retrieving revision 1.4
> diff -u -p -r1.4 distinfo
> --- distinfo 19 Jul 2020 01:29:23 -0000 1.4
> +++ distinfo 14 Dec 2021 04:43:32 -0000
> @@ -6,6 +6,8 @@ SHA256 (javacc-5.0.jar) = cRExYbyM9mQVFV
> SHA256 (jmockit-1.44.jar) = GXSZN1EzMkhCbdusNwpgSUTt9mXBPUakxelz5N2PqUo=
> SHA256 (json-simple-1.1.1.jar) = TmlpaJK4i0HFXUmrL9zCHurZK/VKzFiMAFBZbDt1GZw=
> SHA256 (junit-4.12.jar) = WXIfCAXiI9hLkGd4h9n/Vn3FNNfFAsqQPAwrF/BcEWo=
> +SHA256 (log4j-api-2.15.0.jar) = yMM+fo4FSW2uac8MqsjDCSz/2TehZFJukpItLVZtClU=
> +SHA256 (log4j-core-2.15.0.jar) = QZqFEolZcbe09PM+Yg02ElTlyVUrkEsEdLCd3UpqIgs=
> SHA256 (yajsw-stable-12.12.zip) =
> E5j8sek6uxmZLE+gbX/ldYqrtMRXgdfvMGxvV8p6cyE=
> SIZE (ST4-4.1.jar) = 253043
> SIZE (ghidra-9.1.2.tar.gz) = 59623429
> @@ -15,4 +17,6 @@ SIZE (javacc-5.0.jar) = 298569
> SIZE (jmockit-1.44.jar) = 757982
> SIZE (json-simple-1.1.1.jar) = 23931
> SIZE (junit-4.12.jar) = 314932
> +SIZE (log4j-api-2.15.0.jar) = 301804
> +SIZE (log4j-core-2.15.0.jar) = 1789769
> SIZE (yajsw-stable-12.12.zip) = 25051676
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/security/ghidra/pkg/PLIST,v
> retrieving revision 1.4
> diff -u -p -r1.4 PLIST
> --- pkg/PLIST 19 Jul 2020 01:29:23 -0000 1.4
> +++ pkg/PLIST 14 Dec 2021 04:43:34 -0000
> @@ -2304,8 +2304,8 @@ share/java/ghidra/Ghidra/Framework/Gener
> share/java/ghidra/Ghidra/Framework/Generic/lib/commons-lang3-3.9.jar
> share/java/ghidra/Ghidra/Framework/Generic/lib/guava-19.0.jar
> share/java/ghidra/Ghidra/Framework/Generic/lib/jdom-legacy-1.1.3.jar
> -share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-api-2.8.2.jar
> -share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-core-2.8.2.jar
> +share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-api-2.15.0.jar
> +share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-core-2.15.0.jar
> share/java/ghidra/Ghidra/Framework/Graph/
> share/java/ghidra/Ghidra/Framework/Graph/LICENSE.txt
> share/java/ghidra/Ghidra/Framework/Graph/Module.manifest
>
