On 2021/12/14 00:12, Lawrence Teo wrote: > The latest Ghidra release 10.1 has a fix for the log4j vulnerability; > however, updating the port to that version is very complex and > unfortunately I do not have enough time to work on it at the moment. > > As a workaround, this diff updates the log4j jar files in > security/ghidra to 2.15.0. I was about to fetch the log4j jar files > from https://logging.apache.org/log4j/2.x/download.html when I noticed > sthen's net/unifi update which fetches them from spacehopper.org > instead. This diff uses the latter approach. > > ok?
Ah I switched unifi over to using the proper distfiles from apache.org before I read your mail, the ones I mirrored came from a newer version of unifi. You can use them if you like but I can't vouch for exactly what's in them other than "ubiquiti thought they were OK" - hashes differ into the upstream release (I didn't look further to what was changed inbetween them). > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/security/ghidra/Makefile,v > retrieving revision 1.8 > diff -u -p -r1.8 Makefile > --- Makefile 19 Jul 2020 01:29:23 -0000 1.8 > +++ Makefile 14 Dec 2021 04:43:32 -0000 > @@ -7,6 +7,7 @@ COMMENT = software reverse engineering ( > > VERSION = 9.1.2 > GHIDRA_DATE = 20200212 > +REVISION = 0 > > GH_ACCOUNT = NationalSecurityAgency > GH_PROJECT = ghidra > @@ -27,6 +28,7 @@ WANTLIB += c m ${COMPILER_LIBCXX} > MASTER_SITES0 = ${HOMEPAGE} > MASTER_SITES1 = > https://sourceforge.net/projects/yajsw/files/yajsw/yajsw-stable-${YAJSW_VER}/ > MASTER_SITES2 = https://repo.maven.apache.org/maven2/ > +MASTER_SITES3 = https://spacehopper.org/mirrors/ > > EXTRACT_SUFX = .zip > > @@ -37,6 +39,7 @@ JMOCKIT_VER = 1.44 > JSON_SIMPLE_VER = 1.1.1 > JUNIT_VER = 4.12 > YAJSW_VER = 12.12 > +LOG4J_VER = 2.15.0 > > # Note that ST4-${ST4_VER}.jar is only needed during build for antlr; it is > not > # needed at runtime and therefore does not need to be packed. > @@ -51,6 +54,8 @@ DISTFILES = ${DISTNAME}.tar.gz > DISTFILES += ghidra_${VERSION}_PUBLIC_${GHIDRA_DATE}${EXTRACT_SUFX}:0 > DISTFILES += yajsw-stable-${YAJSW_VER}${EXTRACT_SUFX}:1 > DISTFILES += ${JAR_DISTFILES:C/$/:2/} > +DISTFILES += log4j-api-${LOG4J_VER}.jar:3 > +DISTFILES += log4j-core-${LOG4J_VER}.jar:3 > > EXTRACT_ONLY = ${DISTNAME}.tar.gz > > @@ -138,5 +143,10 @@ do-install: > ln -s ${TRUEPREFIX}/share/java/ghidra/ghidraRun ${PREFIX}/bin/ghidraRun > ${INSTALL_SCRIPT} > ${WRKSRC}/Ghidra/RuntimeScripts/Linux/support/launch.sh \ > ${PREFIX}/share/java/ghidra/support/launch.sh > + rm -f > ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-{api,core}-*.jar > + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-api-${LOG4J_VER}.jar \ > + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/ > + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-core-${LOG4J_VER}.jar \ > + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/ > > .include <bsd.port.mk> > Index: distinfo > =================================================================== > RCS file: /cvs/ports/security/ghidra/distinfo,v > retrieving revision 1.4 > diff -u -p -r1.4 distinfo > --- distinfo 19 Jul 2020 01:29:23 -0000 1.4 > +++ distinfo 14 Dec 2021 04:43:32 -0000 > @@ -6,6 +6,8 @@ SHA256 (javacc-5.0.jar) = cRExYbyM9mQVFV > SHA256 (jmockit-1.44.jar) = GXSZN1EzMkhCbdusNwpgSUTt9mXBPUakxelz5N2PqUo= > SHA256 (json-simple-1.1.1.jar) = TmlpaJK4i0HFXUmrL9zCHurZK/VKzFiMAFBZbDt1GZw= > SHA256 (junit-4.12.jar) = WXIfCAXiI9hLkGd4h9n/Vn3FNNfFAsqQPAwrF/BcEWo= > +SHA256 (log4j-api-2.15.0.jar) = yMM+fo4FSW2uac8MqsjDCSz/2TehZFJukpItLVZtClU= > +SHA256 (log4j-core-2.15.0.jar) = QZqFEolZcbe09PM+Yg02ElTlyVUrkEsEdLCd3UpqIgs= > SHA256 (yajsw-stable-12.12.zip) = > E5j8sek6uxmZLE+gbX/ldYqrtMRXgdfvMGxvV8p6cyE= > SIZE (ST4-4.1.jar) = 253043 > SIZE (ghidra-9.1.2.tar.gz) = 59623429 > @@ -15,4 +17,6 @@ SIZE (javacc-5.0.jar) = 298569 > SIZE (jmockit-1.44.jar) = 757982 > SIZE (json-simple-1.1.1.jar) = 23931 > SIZE (junit-4.12.jar) = 314932 > +SIZE (log4j-api-2.15.0.jar) = 301804 > +SIZE (log4j-core-2.15.0.jar) = 1789769 > SIZE (yajsw-stable-12.12.zip) = 25051676 > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/security/ghidra/pkg/PLIST,v > retrieving revision 1.4 > diff -u -p -r1.4 PLIST > --- pkg/PLIST 19 Jul 2020 01:29:23 -0000 1.4 > +++ pkg/PLIST 14 Dec 2021 04:43:34 -0000 > @@ -2304,8 +2304,8 @@ share/java/ghidra/Ghidra/Framework/Gener > share/java/ghidra/Ghidra/Framework/Generic/lib/commons-lang3-3.9.jar > share/java/ghidra/Ghidra/Framework/Generic/lib/guava-19.0.jar > share/java/ghidra/Ghidra/Framework/Generic/lib/jdom-legacy-1.1.3.jar > -share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-api-2.8.2.jar > -share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-core-2.8.2.jar > +share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-api-2.15.0.jar > +share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-core-2.15.0.jar > share/java/ghidra/Ghidra/Framework/Graph/ > share/java/ghidra/Ghidra/Framework/Graph/LICENSE.txt > share/java/ghidra/Ghidra/Framework/Graph/Module.manifest >