[arch-commits] Commit in elasticsearch/trunk (2 files)

Justin Kromlinger hashworks at gemini.archlinux.org
Sun Dec 12 13:25:03 UTC 2021 

    Date: Sunday, December 12, 2021 @ 13:25:03
  Author: hashworks
Revision: 1068900

Implement log4j patch, fixing FS#72975 / CVE-2021-44228

Added:
  elasticsearch/trunk/patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch
Modified:
  elasticsearch/trunk/PKGBUILD

--------------------------------------------------------+
 PKGBUILD                                               |    8 +
 patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch |   71 +++++++++++++++
 2 files changed, 77 insertions(+), 2 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2021-12-12 13:24:48 UTC (rev 1068899)
+++ PKGBUILD	2021-12-12 13:25:03 UTC (rev 1068900)
@@ -5,7 +5,7 @@
 
 pkgname=elasticsearch
 pkgver=7.10.2
-pkgrel=1
+pkgrel=2
 pkgdesc="Distributed RESTful search engine built on top of Lucene"
 arch=('x86_64')
 url="https://www.elastic.co/products/elasticsearch"
@@ -23,6 +23,7 @@
   elasticsearch-tmpfile.conf
   elasticsearch.default
   remove-systemd-distribution-check.patch
+  patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch
 )
 sha256sums=('bdb7811882a0d9436ac202a947061b565aa71983c72e1c191e7373119a1cdd1c'
             '9e1f68ff275ef2b5f2b93d2823efc5cc9643da696fcbe09a3ea7520ada35ffba'
@@ -33,7 +34,8 @@
             '815f6a39db6f54bb40750c382ffbdc298d2c4c187ee8ea7e2f855923e2ff354b'
             '74a772e9f73e2cecda45dcd30ade2f6114db657ed36231292bdf9a7ca04eab78'
             'bb74e5fb8bc28f2125e015395ab05bea117b72bfc6dadbca827694b362ee0bf8'
-            '96934e6518245a4110714c3e1c1eb7bfaf4dd0026cc917efc322f3bfa4c3b5ec')
+            '96934e6518245a4110714c3e1c1eb7bfaf4dd0026cc917efc322f3bfa4c3b5ec'
+            '98724575d454a49ec419eb39c53565cba5d2901eef6246d63205d02b8c6a68e2')
 
 backup=('etc/elasticsearch/elasticsearch.yml'
         'etc/elasticsearch/log4j2.properties'
@@ -43,6 +45,8 @@
 prepare() {
   cd $pkgname-$pkgver
   patch -Np1 -i "$srcdir"/remove-systemd-distribution-check.patch
+  patch -Np1 -i "$srcdir"/patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch
+  sed -i 's|${versions.log4j}|2.11.1|' libs/log4j/build.gradle
 }
 
 build() {

Added: patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch
===================================================================
--- patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch	                        (rev 0)
+++ patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch	2021-12-12 13:25:03 UTC (rev 1068900)
@@ -0,0 +1,71 @@
+From 9a3422e1a6cf519e3fedce396784be2ef48dc7f9 Mon Sep 17 00:00:00 2001
+From: Mark Vieira <portugee at gmail.com>
+Date: Fri, 10 Dec 2021 15:51:38 -0800
+Subject: [PATCH] Patch log4j JAR to remove JndiLookup class (#81629)
+
+
+diff --git a/distribution/build.gradle b/distribution/build.gradle
+index feab67bfbf8..76549a83d0b 100644
+--- a/distribution/build.gradle
++++ b/distribution/build.gradle
+@@ -275,6 +275,10 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
+         }
+       }
+     }
++    all {
++      resolutionStrategy.dependencySubstitution {
++        substitute module("org.apache.logging.log4j:log4j-core") using project(":libs:elasticsearch-log4j") because "patched to remove JndiLookup clas"}
++    }
+   }
+ 
+   dependencies {
+diff --git a/libs/build.gradle b/libs/build.gradle
+index 0614199b97b..952985f5aa5 100644
+--- a/libs/build.gradle
++++ b/libs/build.gradle
+@@ -6,7 +6,7 @@
+  * Side Public License, v 1.
+  */
+ 
+-subprojects {
++configure(subprojects - project('elasticsearch-log4j')) {
+   /*
+    * All subprojects are java projects using Elasticsearch's standard build
+    * tools.
+diff --git a/libs/log4j/build.gradle b/libs/log4j/build.gradle
+new file mode 100644
+index 00000000000..917a9f454a1
+--- /dev/null
++++ b/libs/log4j/build.gradle
+@@ -0,0 +1,28 @@
++plugins {
++  id 'base'
++  id 'elasticsearch.repositories'
++}
++
++configurations {
++  log4j {
++    transitive = false
++  }
++}
++
++dependencies {
++  log4j "org.apache.logging.log4j:log4j-core:${versions.log4j}"
++}
++
++// Strip out JndiLookup class to avoid any possibility of exploitation of CVE-2021-44228
++// See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
++// See: https://issues.apache.org/jira/browse/LOG4J2-3201
++def patchLog4j = tasks.register('patchLog4j', Zip) {
++  archiveExtension = 'jar'
++  from({ zipTree(configurations.log4j.singleFile) }) {
++    exclude '**/JndiLookup.class'
++  }
++}
++
++artifacts {
++  'default'(patchLog4j)
++}
+-- 
+2.34.1
+

More information about the arch-commits mailing list