diff options
| author | Torben Nehmer | 2021-12-23 20:42:20 +0100 |
|---|---|---|
| committer | Torben Nehmer | 2021-12-23 20:42:20 +0100 |
| commit | 262b3cf591026f2397e39123e8fdc71b49f4d974 (patch) | |
| tree | 07a5d33b8b8efe3aba7dd3b3fe8bc7b58b4fd360 | |
| parent | 9ac7685fb1665e518dd5636418e647320a2cbcae (diff) | |
| download | aur-262b3cf591026f2397e39123e8fdc71b49f4d974.tar.gz | |
Fixed log4j JNDI vulnerability CVE-2021-45046
Fix the log4j security vulnerability CVE-2021-45046. This can be
trivially exploited as remote code execution.
Remove log4j's ability to do JNDI lookups entirely by removing
JndiLookup.class from the package.
See also:
https://logging.apache.org/log4j/2.x/security.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
| -rw-r--r-- | PKGBUILD | 9 |
1 files changed, 8 insertions, 1 deletions
@@ -1,12 +1,14 @@ # Maintainer: Donald Webster (fryfrog@gmail.com) +# Contributor: Torben Nehmer (torben+aur-unifi-video at nehmer dot net) pkgname=unifi-video pkgver=3.10.13 -pkgrel=1 +pkgrel=2 pkgdesc="Centralized management system for Ubiquiti UniFi surveillance cameras." arch=('x86_64') url="https://www.ubnt.com/" license=('custom') +makedepends=('zip') depends=( 'mongodb' 'java-runtime>=8' @@ -37,6 +39,11 @@ package() { cd "${pkgdir}/usr/bin" patch -N < "${srcdir}/unifi-video.patch" + # see also: https://logging.apache.org/log4j/2.x/security.html + echo "Fixing Log4j JNDI Lookup vulnerability by removing JndiLookup.class (CVE-2021-45046)" + cd "${pkgdir}/usr/lib/unifi-video/lib" + zip -v -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class + install -D -m 644 "${srcdir}/unifi-video.service" "${pkgdir}/usr/lib/systemd/system/unifi-video.service" install -D -m 644 "${srcdir}/unifi-video.sysusers" "${pkgdir}/usr/lib/sysusers.d/unifi-video.conf" install -D -m 644 "${srcdir}/unifi-video.tmpfiles" "${pkgdir}/usr/lib/tmpfiles.d/unifi-video.conf" |