[PATCH][SECURITY] gnu: java-log4j-api: Update to 2.15.0.

  • Done
  • quality assurance status badge
Details
2 participants
  • Julien Lepiller
  • Ludovic Courtès
Owner
unassigned
Submitted by
Julien Lepiller
Severity
normal
J
J
Julien Lepiller wrote on 11 Dec 2021 03:11
(address . guix-patches@gnu.org)
20211211031159.29aa79db@tachikoma.lepiller.eu
Hi Guix!

today I learnt about a CVE on log4j. Looking more closely, it seems
that log4j2 has had 3 CVEs (at least 3 are listed on
vulnerable to all of them \o/

This series updates to the latest version. Thankfully, log4j keeps a
stable API, so there's no breakage in dependents, but a few
dependencies had to be added/updated.
J
J
Julien Lepiller wrote on 11 Dec 2021 03:23
[PATCH 1/5] gnu: java-jansi: Update to 2.4.0.
(address . 52421@debbugs.gnu.org)
b2989b1eb92a37ceaa1e573385606e9231f8d12e.1639188753.git.julien@lepiller.eu
* gnu/packages/java.scm (java-jansi): Update to 2.4.0.
(java-jansi-1): New variable.
(java-jline-2)[inputs]: Use java-jansi-1.
* gnu/packages/groovy.scm (java-groovy-bootstrap)[inputs]: Use java-jansi-1.
---
gnu/packages/groovy.scm | 2 +-
gnu/packages/java.scm | 82 +++++++++++++++++++++++++++++++++++------
2 files changed, 71 insertions(+), 13 deletions(-)

Toggle diff (126 lines)
diff --git a/gnu/packages/groovy.scm b/gnu/packages/groovy.scm
index c44a17b59e..382dfe7faf 100644
--- a/gnu/packages/groovy.scm
+++ b/gnu/packages/groovy.scm
@@ -102,7 +102,7 @@ (define java-groovy-bootstrap
("java-asm-util" ,java-asm-util-8)
("java-classpathx-servletapi" ,java-classpathx-servletapi)
("java-commons-cli" ,java-commons-cli)
- ("java-jansi" ,java-jansi)
+ ("java-jansi" ,java-jansi-1)
("java-jline-2" ,java-jline-2)
("java-picocli" ,java-picocli)
("java-xstream" ,java-xstream)))
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 36424ee8b1..51b8bc673d 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -12134,15 +12134,78 @@ (define-public java-jansi-native
(define-public java-jansi
(package
(name "java-jansi")
+ (version "2.4.0")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fusesource/jansi")
+ (commit (string-append "jansi-" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1s6fva06990798b5fyxqzr30zwyj1byq5wrm54j2larcydaryggf"))
+ (modules '((guix build utils)))
+ (snippet
+ ;; contains pre-compiled libraries
+ '(delete-file-recursively
+ "src/main/resources/org/fusesource/jansi/internal"))))
+ (build-system ant-build-system)
+ (arguments
+ `(#:jar-name "jansi.jar"
+ #:source-dir "src/main/java"
+ #:test-dir "src/test"
+ #:tests? #f; require junit 3
+ #:phases
+ (modify-phases %standard-phases
+ (add-before 'build 'build-native
+ (lambda* (#:key inputs #:allow-other-keys)
+ (with-directory-excursion "src/main/native"
+ (invoke "gcc" "-c" "jansi_ttyname.c" "-o" "jansi_ttyname.o"
+ (string-append "-I" (assoc-ref inputs "jdk")
+ "/include/linux")
+ "-fPIC" "-O2")
+ (invoke "gcc" "-o" "libjansi.so" "-shared" "jansi_ttyname.o"))))
+ (add-before 'build 'install-native
+ (lambda _
+ (let ((dir (string-append "build/classes/META-INF/org/fusesource/"
+ "jansi/internal/native/"
+ ,(match (%current-system)
+ ("i686-linux" "linux/x86")
+ ("x86_64-linux" "linux/x86_64")
+ ("armhf-linux" "linux/armv7")
+ ("aarch64-linux" "linux/arm64")
+ ("mips64el-linux" "linux/mips64")
+ (_ "unknown-kernel")))))
+ (install-file "src/main/native/libjansi.so" dir))
+ #t))
+ (add-before 'build 'copy-resources
+ (lambda _
+ (copy-recursively "src/main/resources" "build/classes")
+ #t))
+ (add-after 'check 'clear-term
+ (lambda _
+ (invoke "echo" "-e" "\\e[0m")))
+ (replace 'install
+ (install-from-pom "pom.xml")))))
+ (home-page "https://fusesource.github.io/jansi/")
+ (synopsis "Portable ANSI escape sequences")
+ (description "Jansi is a Java library that allows you to use ANSI escape
+sequences to format your console output which works on every platform.")
+ (license license:asl2.0)))
+
+(define-public java-jansi-1
+ (package
+ (inherit java-jansi)
(version "1.16")
(source (origin
- (method url-fetch)
- (uri (string-append "https://github.com/fusesource/jansi/archive/"
- "jansi-project-" version ".tar.gz"))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fusesource/jansi")
+ (commit (string-append "jansi-project-" version))))
+ (file-name (git-file-name "jansi" version))
(sha256
(base32
- "11kh3144i3fzp21dpy8zg52mjmsr214k7km9p8ly0rqk2px0qq2z"))))
- (build-system ant-build-system)
+ "0ikk0x352gh30b42qn1jd89xwsjj0mavrc5kms7fss15bd8vsayx"))))
(arguments
`(#:jar-name "jansi.jar"
#:source-dir "jansi/src/main/java"
@@ -12173,12 +12236,7 @@ (define-public java-jansi
`(("java-jansi-native" ,java-jansi-native)))
(native-inputs
`(("java-junit" ,java-junit)
- ("java-hamcrest-core" ,java-hamcrest-core)))
- (home-page "https://fusesource.github.io/jansi/")
- (synopsis "Portable ANSI escape sequences")
- (description "Jansi is a Java library that allows you to use ANSI escape
-sequences to format your console output which works on every platform.")
- (license license:asl2.0)))
+ ("java-hamcrest-core" ,java-hamcrest-core)))))
(define-public java-jboss-el-api-spec
(package
@@ -12541,7 +12599,7 @@ (define-public java-jline-2
`(#:jdk ,icedtea-8
,@(package-arguments java-jline)))
(inputs
- `(("java-jansi" ,java-jansi)
+ `(("java-jansi" ,java-jansi-1)
("java-jansi-native" ,java-jansi-native)))
(native-inputs
`(("java-powermock-modules-junit4" ,java-powermock-modules-junit4)
--
2.34.0
J
J
Julien Lepiller wrote on 11 Dec 2021 03:23
[PATCH 2/5] gnu: Add java-jctools-core-1.
(address . 52421@debbugs.gnu.org)
50efd67f908049eaf546d02e2b65aa17ec90c471.1639188753.git.julien@lepiller.eu
* gnu/packages/java.scm (java-jctools-core-1): New variable.
---
gnu/packages/java.scm | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)

Toggle diff (40 lines)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 51b8bc673d..f37baabd37 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -11350,6 +11350,33 @@ (define-public java-lmax-disruptor
message queues or resource locking.")
(license license:asl2.0)))
+(define-public java-jctools-core-1
+ (package
+ (name "java-jctools-core")
+ (version "1.2.1")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/JCTools/JCTools")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "105my29nwd4djvdllmq8s3jdzbyplbkxzwmddxiiilb4yqr1pghb"))))
+ (build-system ant-build-system)
+ (arguments
+ `(#:jar-name "java-jctools-core.jar"
+ #:source-dir "jctools-core/src/main/java"
+ #:test-dir "jctools-core/src/test"))
+ (native-inputs
+ `(("java-junit" ,java-junit)
+ ("java-hamcrest-all" ,java-hamcrest-all)))
+ (home-page "https://github.com/JCTools/JCTools")
+ (synopsis "Concurrency Tools for Java")
+ (description "This library implement concurrent data structures that are
+not natively available in Java.")
+ (license license:asl2.0)))
+
(define-public java-commons-bcel
(package
(name "java-commons-bcel")
--
2.34.0
J
J
Julien Lepiller wrote on 11 Dec 2021 03:23
[PATCH 3/5] gnu: Add java-conversant-disruptor.
(address . 52421@debbugs.gnu.org)
af4af13e00c73dfa54bd46cf9b7c7e534f09ad0d.1639188753.git.julien@lepiller.eu
* gnu/packages/java.scm (java-conversant-disruptor): New variable.
---
gnu/packages/java.scm | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)

Toggle diff (48 lines)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index f37baabd37..192105008f 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -11350,6 +11350,41 @@ (define-public java-lmax-disruptor
message queues or resource locking.")
(license license:asl2.0)))
+(define-public java-conversant-disruptor
+ (package
+ (name "java-conversant-disruptor")
+ (version "1.2.19")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/conversant/disruptor")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "0gx1dm7sfg7pa05cs4qby10gfcplai5b5lf1f7ik1a76dh3vhl0g"))))
+ (build-system ant-build-system)
+ (arguments
+ `(#:jar-name "java-conversant-disruptor.jar"
+ #:source-dir "src/main/java"
+ #:phases
+ (modify-phases %standard-phases
+ (add-before 'build 'copy-resources
+ (lambda _
+ (copy-recursively "src/main/resources" "build/classes")))
+ (add-before 'build 'remove-module
+ (lambda _
+ (delete-file "src/main/java/module-info.java"))))))
+ (native-inputs
+ `(("java-junit" ,java-junit)))
+ (home-page "https://github.com/conversant/disruptor")
+ (synopsis "High performance intra-thread communication")
+ (description "Conversant Disruptor is the highest performing intra-thread
+transfer mechanism available in Java. Conversant Disruptor is an implementation
+of this type of ring buffer that has almost no overhead and that exploits a
+particularly simple design.")
+ (license license:asl2.0)))
+
(define-public java-jctools-core-1
(package
(name "java-jctools-core")
--
2.34.0
J
J
Julien Lepiller wrote on 11 Dec 2021 03:23
[PATCH 4/5] gnu. java-lmax-disruptor: Update to 3.4.4.
(address . 52421@debbugs.gnu.org)
c7f7ab19163d185b3f9cdca62d55f866a60000a0.1639188753.git.julien@lepiller.eu
* gnu/packages/java.scm (java-lmax-disruptor): Update to 3.4.4.
---
gnu/packages/java.scm | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)

Toggle diff (29 lines)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 192105008f..785e9f13e2 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -11318,15 +11318,16 @@ (define-public java-bouncycastle
(define-public java-lmax-disruptor
(package
(name "java-lmax-disruptor")
- (version "3.3.7")
+ (version "3.4.4")
(source (origin
- (method url-fetch)
- (uri (string-append "https://github.com/LMAX-Exchange/disruptor/"
- "archive/" version ".tar.gz"))
- (file-name (string-append name "-" version ".tar.gz"))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/LMAX-Exchange/disruptor")
+ (commit version)))
+ (file-name (git-file-name name version))
(sha256
(base32
- "17da2gwj5abnlsfgn2xqjk5lgzbg4vkb0hdv2dvc8r2fx4bi7w3g"))))
+ "02c5kp3n8a73dq9ay7ar53s1k3x61z9yzc5ikqb03m6snr1wpfqn"))))
(build-system ant-build-system)
(arguments
`(#:jar-name "java-lmax-disruptor.jar"
--
2.34.0
J
J
Julien Lepiller wrote on 11 Dec 2021 03:23
[PATCH 5/5] gnu: java-log4j-api: Update to 2.15.0.
(address . 52421@debbugs.gnu.org)
ae43926920eeab53391166b440cee9c104e140ef.1639188753.git.julien@lepiller.eu
Includes fixes for CVE-2017-5645, CVE-2020-9488 and CVE-2021-44228.

* gnu/packages/java.scm (java-log4j-api): Update to 2.15.0.
(java-log4j-core, java-log4j-1.2-api)[inputs]: Adjust accordingly.
---
gnu/packages/java.scm | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

Toggle diff (51 lines)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 785e9f13e2..d295077113 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -7840,14 +7840,14 @@ (define-public java-javax-mail
(define-public java-log4j-api
(package
(name "java-log4j-api")
- (version "2.4.1")
+ (version "2.15.0")
(source (origin
(method url-fetch)
(uri (string-append "mirror://apache/logging/log4j/" version
"/apache-log4j-" version "-src.tar.gz"))
(sha256
(base32
- "0j5p9gik0jysh37nlrckqbky12isy95cpwg2gv5fas1rcdqbraxd"))))
+ "0h4ndw096h9cql0kyi1zd0ymp8hqxc1jdgdxkn0kxf8vd9b4dx14"))))
(build-system ant-build-system)
(arguments
`(#:tests? #f ; tests require unpackaged software
@@ -7869,6 +7869,7 @@ (define-public java-log4j-api
`(("java-osgi-core" ,java-osgi-core)
("java-hamcrest-core" ,java-hamcrest-core)
("java-junit" ,java-junit)))
+ (properties '((cpe-name . "log4j")))
(home-page "https://logging.apache.org/log4j/2.x/")
(synopsis "API module of the Log4j logging framework for Java")
(description
@@ -7886,7 +7887,11 @@ (define-public java-log4j-core
("java-log4j-api" ,java-log4j-api)
("java-mail" ,java-mail)
("java-jboss-jms-api-spec" ,java-jboss-jms-api-spec)
+ ("java-conversant-disruptor" ,java-conversant-disruptor)
("java-lmax-disruptor" ,java-lmax-disruptor)
+ ("java-jctools-core" ,java-jctools-core-1)
+ ("java-stax2-api" ,java-stax2-api)
+ ("java-jansi" ,java-jansi)
("java-kafka" ,java-kafka-clients)
("java-datanucleus-javax-persistence" ,java-datanucleus-javax-persistence)
("java-fasterxml-jackson-annotations" ,java-fasterxml-jackson-annotations)
@@ -7934,6 +7939,7 @@ (define-public java-log4j-1.2-api
(inputs
`(("log4j-api" ,java-log4j-api)
("log4j-core" ,java-log4j-core)
+ ("java-jboss-jms-api-spec" ,java-jboss-jms-api-spec)
("osgi-core" ,java-osgi-core)
("eclipse-osgi" ,java-eclipse-osgi)
("java-lmax-disruptor" ,java-lmax-disruptor)))))
--
2.34.0
L
L
Ludovic Courtès wrote on 11 Dec 2021 22:08
Re: bug#52421: [PATCH][SECURITY] gnu: java-log4j-api: Update to 2.15.0.
(name . Julien Lepiller)(address . julien@lepiller.eu)(address . 52421@debbugs.gnu.org)
87o85m6e9g.fsf@gnu.org
Hi,

Julien Lepiller <julien@lepiller.eu> skribis:

Toggle quote (9 lines)
> today I learnt about a CVE on log4j. Looking more closely, it seems
> that log4j2 has had 3 CVEs (at least 3 are listed on
> https://logging.apache.org/log4j/2.x/security.html) and we're
> vulnerable to all of them \o/
>
> This series updates to the latest version. Thankfully, log4j keeps a
> stable API, so there's no breakage in dependents, but a few
> dependencies had to be added/updated.

I had a quick look and it all LGTM.

Thanks for taking care of it!

Ludo’.
L
L
Ludovic Courtès wrote on 11 Dec 2021 22:09
(name . Julien Lepiller)(address . julien@lepiller.eu)(address . 52421@debbugs.gnu.org)
87k0ga6e80.fsf_-_@gnu.org
Julien Lepiller <julien@lepiller.eu> skribis:

Toggle quote (3 lines)
> + (synopsis "Concurrency Tools for Java")

Lowercase “tools”.

Toggle quote (2 lines)
> + (description "This library implement concurrent data structures that are

“implements”

Ludo’.
J
J
Julien Lepiller wrote on 12 Dec 2021 19:25
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 52421-done@debbugs.gnu.org)
20211212192544.0b4015e2@tachikoma.lepiller.eu
Thanks for the review. I added remarks from IRC and pushed the update
as 5259513d5e5a918bb44b87ab7a562621cc78c945 to
d5cfca23e30a9166d49faf0b48cca3ee27699f7a.
Closed
?