The latest Ghidra release 10.1 has a fix for the log4j vulnerability; however, updating the port to that version is very complex and unfortunately I do not have enough time to work on it at the moment.
As a workaround, this diff updates the log4j jar files in security/ghidra to 2.15.0. I was about to fetch the log4j jar files from https://logging.apache.org/log4j/2.x/download.html when I noticed sthen's net/unifi update which fetches them from spacehopper.org instead. This diff uses the latter approach. ok? Index: Makefile =================================================================== RCS file: /cvs/ports/security/ghidra/Makefile,v retrieving revision 1.8 diff -u -p -r1.8 Makefile --- Makefile 19 Jul 2020 01:29:23 -0000 1.8 +++ Makefile 14 Dec 2021 04:43:32 -0000 @@ -7,6 +7,7 @@ COMMENT = software reverse engineering ( VERSION = 9.1.2 GHIDRA_DATE = 20200212 +REVISION = 0 GH_ACCOUNT = NationalSecurityAgency GH_PROJECT = ghidra @@ -27,6 +28,7 @@ WANTLIB += c m ${COMPILER_LIBCXX} MASTER_SITES0 = ${HOMEPAGE} MASTER_SITES1 = https://sourceforge.net/projects/yajsw/files/yajsw/yajsw-stable-${YAJSW_VER}/ MASTER_SITES2 = https://repo.maven.apache.org/maven2/ +MASTER_SITES3 = https://spacehopper.org/mirrors/ EXTRACT_SUFX = .zip @@ -37,6 +39,7 @@ JMOCKIT_VER = 1.44 JSON_SIMPLE_VER = 1.1.1 JUNIT_VER = 4.12 YAJSW_VER = 12.12 +LOG4J_VER = 2.15.0 # Note that ST4-${ST4_VER}.jar is only needed during build for antlr; it is not # needed at runtime and therefore does not need to be packed. @@ -51,6 +54,8 @@ DISTFILES = ${DISTNAME}.tar.gz DISTFILES += ghidra_${VERSION}_PUBLIC_${GHIDRA_DATE}${EXTRACT_SUFX}:0 DISTFILES += yajsw-stable-${YAJSW_VER}${EXTRACT_SUFX}:1 DISTFILES += ${JAR_DISTFILES:C/$/:2/} +DISTFILES += log4j-api-${LOG4J_VER}.jar:3 +DISTFILES += log4j-core-${LOG4J_VER}.jar:3 EXTRACT_ONLY = ${DISTNAME}.tar.gz @@ -138,5 +143,10 @@ do-install: ln -s ${TRUEPREFIX}/share/java/ghidra/ghidraRun ${PREFIX}/bin/ghidraRun ${INSTALL_SCRIPT} ${WRKSRC}/Ghidra/RuntimeScripts/Linux/support/launch.sh \ ${PREFIX}/share/java/ghidra/support/launch.sh + rm -f ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-{api,core}-*.jar + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-api-${LOG4J_VER}.jar \ + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/ + ${INSTALL_DATA} ${FULLDISTDIR}/log4j-core-${LOG4J_VER}.jar \ + ${PREFIX}/share/java/ghidra/Ghidra/Framework/Generic/lib/ .include <bsd.port.mk> Index: distinfo =================================================================== RCS file: /cvs/ports/security/ghidra/distinfo,v retrieving revision 1.4 diff -u -p -r1.4 distinfo --- distinfo 19 Jul 2020 01:29:23 -0000 1.4 +++ distinfo 14 Dec 2021 04:43:32 -0000 @@ -6,6 +6,8 @@ SHA256 (javacc-5.0.jar) = cRExYbyM9mQVFV SHA256 (jmockit-1.44.jar) = GXSZN1EzMkhCbdusNwpgSUTt9mXBPUakxelz5N2PqUo= SHA256 (json-simple-1.1.1.jar) = TmlpaJK4i0HFXUmrL9zCHurZK/VKzFiMAFBZbDt1GZw= SHA256 (junit-4.12.jar) = WXIfCAXiI9hLkGd4h9n/Vn3FNNfFAsqQPAwrF/BcEWo= +SHA256 (log4j-api-2.15.0.jar) = yMM+fo4FSW2uac8MqsjDCSz/2TehZFJukpItLVZtClU= +SHA256 (log4j-core-2.15.0.jar) = QZqFEolZcbe09PM+Yg02ElTlyVUrkEsEdLCd3UpqIgs= SHA256 (yajsw-stable-12.12.zip) = E5j8sek6uxmZLE+gbX/ldYqrtMRXgdfvMGxvV8p6cyE= SIZE (ST4-4.1.jar) = 253043 SIZE (ghidra-9.1.2.tar.gz) = 59623429 @@ -15,4 +17,6 @@ SIZE (javacc-5.0.jar) = 298569 SIZE (jmockit-1.44.jar) = 757982 SIZE (json-simple-1.1.1.jar) = 23931 SIZE (junit-4.12.jar) = 314932 +SIZE (log4j-api-2.15.0.jar) = 301804 +SIZE (log4j-core-2.15.0.jar) = 1789769 SIZE (yajsw-stable-12.12.zip) = 25051676 Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/ghidra/pkg/PLIST,v retrieving revision 1.4 diff -u -p -r1.4 PLIST --- pkg/PLIST 19 Jul 2020 01:29:23 -0000 1.4 +++ pkg/PLIST 14 Dec 2021 04:43:34 -0000 @@ -2304,8 +2304,8 @@ share/java/ghidra/Ghidra/Framework/Gener share/java/ghidra/Ghidra/Framework/Generic/lib/commons-lang3-3.9.jar share/java/ghidra/Ghidra/Framework/Generic/lib/guava-19.0.jar share/java/ghidra/Ghidra/Framework/Generic/lib/jdom-legacy-1.1.3.jar -share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-api-2.8.2.jar -share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-core-2.8.2.jar +share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-api-2.15.0.jar +share/java/ghidra/Ghidra/Framework/Generic/lib/log4j-core-2.15.0.jar share/java/ghidra/Ghidra/Framework/Graph/ share/java/ghidra/Ghidra/Framework/Graph/LICENSE.txt share/java/ghidra/Ghidra/Framework/Graph/Module.manifest
