The officially official Devuan Forum!

You are not logged in.

#1 2022-03-16 20:08:44

Altoid
Member
Registered: 2017-05-07
Posts: 1,581  

Important - log4j exploit alarm affecting Linux

Hello:

Originally mentioned here (late December 2021) at Dev1 by hevidevi here ...

https://dev1galaxy.org/viewtopic.php?id=4715

... and now (as expected) we now have this:

https://www.theregister.com/2022/03/16/ … net_log4j/

Jessica Lyons Hardcastle @The Register wrote:

It primarily targets Linux Arm and 64-bit x86 systems.

Running locate on my Beowulf installation brings me a heap of instances:

/usr/share/ant/lib/ant-apache-log4j.jar
/usr/share/doc/liblog4j1.2-java
/usr/share/doc/liblog4j1.2-java/README.Debian
/usr/share/doc/liblog4j1.2-java/changelog.Debian.gz
/usr/share/doc/liblog4j1.2-java/copyright
/usr/share/java/ant-apache-log4j-1.10.5.jar
/usr/share/java/ant-apache-log4j.jar
/usr/share/java/log4j-1.2-1.2.17.jar
/usr/share/java/log4j-1.2.jar
/usr/share/java/log4j-over-slf4j-1.7.25.jar
/usr/share/java/log4j-over-slf4j.jar
/usr/share/java/slf4j-log4j12-1.7.25.jar
/usr/share/java/slf4j-log4j12.jar
/usr/share/maven-repo/log4j
/usr/share/maven-repo/log4j/log4j
/usr/share/maven-repo/log4j/log4j/1.2.17
/usr/share/maven-repo/log4j/log4j/1.2.x
/usr/share/maven-repo/log4j/log4j/debian
/usr/share/maven-repo/log4j/log4j/1.2.17/log4j-1.2.17.jar
/usr/share/maven-repo/log4j/log4j/1.2.17/log4j-1.2.17.pom
/usr/share/maven-repo/log4j/log4j/1.2.x/log4j-1.2.x.jar
/usr/share/maven-repo/log4j/log4j/1.2.x/log4j-1.2.x.pom
/usr/share/maven-repo/log4j/log4j/debian/log4j-debian.pom
/usr/share/maven-repo/org/apache/ant/ant-apache-log4j
/usr/share/maven-repo/org/apache/ant/ant-apache-log4j/1.10.5
/usr/share/maven-repo/org/apache/ant/ant-apache-log4j/debian
/usr/share/maven-repo/org/apache/ant/ant-apache-log4j/1.10.5/ant-apache-log4j-1.10.5.jar
/usr/share/maven-repo/org/apache/ant/ant-apache-log4j/1.10.5/ant-apache-log4j-1.10.5.pom
/usr/share/maven-repo/org/apache/ant/ant-apache-log4j/debian/ant-apache-log4j-debian.jar
/usr/share/maven-repo/org/apache/ant/ant-apache-log4j/debian/ant-apache-log4j-debian.pom
/usr/share/maven-repo/org/slf4j/log4j-over-slf4j
/usr/share/maven-repo/org/slf4j/slf4j-log4j12
/usr/share/maven-repo/org/slf4j/log4j-over-slf4j/1.7.25
/usr/share/maven-repo/org/slf4j/log4j-over-slf4j/debian
/usr/share/maven-repo/org/slf4j/log4j-over-slf4j/1.7.25/log4j-over-slf4j-1.7.25.jar
/usr/share/maven-repo/org/slf4j/log4j-over-slf4j/1.7.25/log4j-over-slf4j-1.7.25.pom
/usr/share/maven-repo/org/slf4j/log4j-over-slf4j/debian/log4j-over-slf4j-debian.jar
/usr/share/maven-repo/org/slf4j/log4j-over-slf4j/debian/log4j-over-slf4j-debian.pom
/usr/share/maven-repo/org/slf4j/slf4j-log4j12/1.7.25
/usr/share/maven-repo/org/slf4j/slf4j-log4j12/debian
/usr/share/maven-repo/org/slf4j/slf4j-log4j12/1.7.25/slf4j-log4j12-1.7.25.jar
/usr/share/maven-repo/org/slf4j/slf4j-log4j12/1.7.25/slf4j-log4j12-1.7.25.pom
/usr/share/maven-repo/org/slf4j/slf4j-log4j12/debian/slf4j-log4j12-debian.jar
/usr/share/maven-repo/org/slf4j/slf4j-log4j12/debian/slf4j-log4j12-debian.pom
/var/lib/dpkg/info/liblog4j1.2-java.list
/var/lib/dpkg/info/liblog4j1.2-java.md5sums

Not too sure what has to be done about it.

Please advise.

Thanks in advance.

A.

Last edited by Altoid (2022-03-16 20:12:55)

Offline

#2 2022-03-17 09:55:13

hevidevi
Member
Registered: 2021-09-17
Posts: 230  

Re: Important - log4j exploit alarm affecting Linux

you must have a few packages installed that rely on java, like Apache maybe.

Lots of programs rely on java and various dependencies of java. That is why this is such a clusterfuck.

The only package i have installed that relies on some java libraries is gettext-base and this is needed for grub, but log4j is not a dependency here.

Last edited by hevidevi (2022-03-17 10:01:20)

Offline

#3 2022-03-17 11:20:53

Altoid
Member
Registered: 2017-05-07
Posts: 1,581  

Re: Important - log4j exploit alarm affecting Linux

Hello:

hevidevi wrote:

... must have a few packages installed that rely on java ...

apt list | grep installed | grep java reveals the existence of java-common and a vast array of xyz-java files, all of them automatically installed.

The printout of aptitude why java-common is:

~$ aptitude why java-common
i   libreoffice-nlpsolver Depends default-jre | sun-java6-jre | java6-runtime | jre
i A default-jre           Depends default-jre-headless (= 2:1.11-71)               
i A default-jre-headless  Depends java-common              

Further investigation made me start laughing ...

~$ aptitude why libreoffice-nlpsolver
i   task-desktop      Recommends task-xfce-desktop | task-cinnamon-desktop | task-kde-desktop | task-lxqt-desktop | task-mate-desktop
p   task-xfce-desktop Recommends libreoffice                                                                                         
p   libreoffice       Recommends libreoffice-nlpsolver    

[rant]
WTHF does task-xfce-desktop have a recommends for libreoffice?
Just who comes up with all this crap?
[/rant]

About libreoffice-nlpsolver:

docs @libreoffice.org wrote:

This extension integrates into LibreOffice Calc and offers new Solver engines to use for optimizing nonlinear programming models.

Really ...
Who was the braided idiot that came up with the idea that optimizing nonlinear programming models was something every TD&H would want to do with his LibreOffice calc?

No wonder LO is such a bloated POS.

When (long ago and far away) it stopped being possible to install Word and Excel on your PC as stand alone applications and the Office Suite was born, I recall thinking it was a really bad move for end users and I still do.

hevidevi wrote:

Lots of programs rely on java ...
... is such a clusterfuck.

hevidevi wrote:

... some java libraries is gettext-base and this is needed for grub, but log4j is not a dependency here.

With respect to log4j, it seems that it is also down to LO:

~$ aptitude why liblog4j1.2-java
i   libreoffice-report-builder            Depends libpentaho-reporting-flow-engine-java (>= 0.9.4)
i A libpentaho-reporting-flow-engine-java Depends libapache-poi-java                              
i A libapache-poi-java                    Depends liblog4j1.2-java          

And that libreoffice-report-builder being what specifically relies on it and every TD&H absolutely needs to have:

help @libreoffice.org wrote:

The Report Builder is a tool to create your own database reports. Unlike with the Report Wizard, using the Report Builder you can take control to design the report the way you want. The generated report is a Writer document that you can edit, too.
Note Icon

To use the Report Builder, the Report Builder component must be installed. In addition, the Java Runtime Environment (JRE) software must be installed, and this software must be selected in LibreOffice.

Removing this evidently absolutely indispensable extension from my system also removes a very long list of java related files, I spaced them out so it would be for easier to grasp how large this fuck-up is:

~$ sudo apt purge libreoffice-report-builder
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:

ant ant-contrib ant-optional libactivation-java
libaopalliance-java libapache-poi-java libapache-pom-java
libargs4j-java libasm-java libatinject-jsr330-api-java libbase-java
libbcmail-java libbcpkix-java libbcprov-java libcdi-api-java libcglib-java
libcodemodel-java libcommons-cli-java libcommons-codec-java
libcommons-collections3-java libcommons-collections4-java
libcommons-compress-java libcommons-io-java libcommons-lang3-java
libcommons-logging-java libcommons-math3-java libcommons-parent-java
libcurvesapi-java libdom4j-java libdtd-parser-java libehcache-java
libfastinfoset-java libflute-java libfonts-java libformula-java
libgeronimo-annotation-1.3-spec-java libgeronimo-interceptor-3.0-spec-java
libguava-java libguice-java libhawtjni-runtime-java libhttpclient-java
libhttpcore-java libicu4j-java libintellij-annotations-java libisorelax-java
libistack-commons-java libitext-java libjansi-java libjansi-native-java
libjaxb-api-java libjaxb-java libjaxen-java libjcommon-java libjdom1-java
libjetbrains-annotations-java libjsoup-java libjsr305-java liblayout-java libloader-java
liblog4j1.2-java libmail-java libmaven-file-management-java libmaven-parent-java
libmaven-resolver-java libmaven-shared-io-java
libmaven-shared-utils-java libmaven3-core-java libmsv-java
libpentaho-reporting-flow-engine-java libpixie-java libplexus-archiver-java
libplexus-cipher-java libplexus-classworlds-java libplexus-component-annotations-java
libplexus-interpolation-java libplexus-io-java libplexus-sec-dispatcher-java
libplexus-utils2-java librelaxng-datatype-java librepository-java librngom-java
libsac-java libsaxonhe-java libserializer-java libsisu-guice-java libsisu-inject-java
libsisu-ioc-java libsisu-plexus-java libslf4j-java libsnappy-java libsnappy-jni
libstax-ex-java libstreambuffer-java libtxw2-java libwagon-http-java
libwagon-provider-api-java libxerces2-java libxml-commons-external-java
libxml-commons-resolver1.1-java libxml-java libxmlbeans-java libxom-java
libxpp2-java libxpp3-java libxsom-java libxz-java

Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  libreoffice-report-builder*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 406 kB disk space will be freed.
Do you want to continue? [Y/n] 

I went ahead with the removal.
Worst that could happen would be to reinstall it.

After typing Y, doing autoremove and autoclean, the final test was apt install -f, which apparently has not detected anything missing.

So ...
It would seem (?) that the LO installed java crap can be weeded out with just uninstalling the libreoffice-nlpsolver and libreoffice-report-builder and extensions, most importantly log4j.

~$ apt list | grep installed | grep log4j
~$ 

.

Unfortunately, some java  files remain:

~$ apt list | grep installed | grep java

ca-certificates-java/oldstable,oldstable,now 20190405 all [installed,automatic]
java-common/oldstable,oldstable,now 0.71 all [installed,automatic]
javascript-common/oldstable,oldstable,now 11 all [installed,automatic]
libatk-wrapper-java-jni/oldstable,now 0.33.3-22+deb10u1 amd64 [installed,automatic]
libatk-wrapper-java/oldstable,oldstable,now 0.33.3-22+deb10u1 all [installed,automatic]
libel-api-java/oldstable,oldstable,now 3.0.0-2+deb10u1 all [installed,automatic]
libhsqldb1.8.0-java/oldstable,oldstable,now 1.8.0.10+dfsg-10 all [installed,automatic]
libjavascriptcoregtk-4.0-18/oldstable-security,now 2.34.6-1~deb10u1 amd64 [installed,automatic]
libjsp-api-java/oldstable,oldstable,now 2.3.4-2+deb10u1 all [installed,automatic]
libreoffice-java-common/oldstable,oldstable,now 1:6.1.5-3+deb10u7 all [installed]
libservlet-api-java/oldstable,oldstable,now 4.0.1-2 all [installed,automatic]
libservlet3.1-java/oldstable,oldstable,now 1:4.0.1-2 all [installed]
libwebsocket-api-java/oldstable,oldstable,now 1.1-1+deb10u1 all [installed,automatic]
~$ 

As to where all these come from, I bet good money it is all (mostly) due to LO.
I'll have to see about how to get rid of those too.

But for now it seems the log4j problem has been solved. (?)

Any comments on how to go from here will be appreciated.

Thanks in advance,

A.

Last edited by Altoid (2022-03-17 12:03:39)

Offline

#4 2022-03-17 11:42:38

hevidevi
Member
Registered: 2021-09-17
Posts: 230  

Re: Important - log4j exploit alarm affecting Linux

No i dont use libreoffice. I generally may only need something nicely formatted the way libreoffice writer may do it in case of a letter or resume, in that case i use markdown and firefox to print a nice pdf file. If one needs microsoft docx from me then they just wont get it.

The only way to weed out java is to make sure you do a minimal install and use --no-install-recommends when installing packages, and stay away from programs that need java and or java libraries, easier said than done i suppose.

In the case of task xfce4 desktop, this can be avoided by doing a minimal installation and or removing task-desktop, but doing that will remove most of your installation i suspect. Meta packages in debian can be a win win, but i find them irritating.

Offline

#5 2022-03-17 12:29:00

Altoid
Member
Registered: 2017-05-07
Posts: 1,581  

Re: Important - log4j exploit alarm affecting Linux

Hello:

Our posts crossed as I edited my last one with the results of removing some of the LO crud.

hevidevi wrote:

... dont use libreoffice. I generally may only need something nicely formatted ...

Ahh ...
In LO, I frequently use what Word 6.0 for DOS and Lotus 123 once offered me.  8^D
And once in a blue moon, something to make up a decent pie-chart.

But the rest of it is just unwanted bloat to me.
eg: optimizing nonlinear programming models and its java-esque consequences. Incredible.

I have more than once been tempted to do something about that.
ie: maybe run Word 6.0 and Lotus 123 inside a W98 VM but never got around to it.

hevidevi wrote:

... microsoft docx from me then they just wont get it.

I usually send a *.pdf file.

hevidevi wrote:

... only way to weed out java is to make sure you do a minimal install ...

I recently edited /etc/apt/apt.conf.d/, adding to do just that:

https://dev1galaxy.org/viewtopic.php?id=4939

hevidevi wrote:

In the case of task xfce4 desktop ...

I'm on my way to getting rid of xfce4.
It has evolved into a bloated badly maintained POS and the people in charge do not listen.

I think Devuan should consider using something else as the default installation.
ie: go the way pointed to by Philip Newborough with his truly excellent Crunch Bang Linux.
Probably the nimblest Linux at that time, unfortunately discontinued after the Waldorf version.

hevidevi wrote:

Meta packages in debian can be a win win ...

I think they are a curse and a source of needless bloat, these things go against the basic Linux philosophy.

ie: Meta packages = one file / too many functions
Functions added one on top of the other with no common sense in mind, not to mention the lack of sound criteria.   

Case in point: task-xfce-desktop having a recommends for libreoffice. WTF?

Thank you for your input.

Best,

A.

Last edited by Altoid (2022-03-17 12:32:23)

Offline

#6 2022-03-17 13:43:43

Altoid
Member
Registered: 2017-05-07
Posts: 1,581  

Re: Important - log4j exploit alarm affecting Linux

Hello:

Altoid wrote:

... more than once been tempted to do something ...
... run Word 6.0 and Lotus 123 inside a W98 VM ...

Just downloaded Lotus SmartSuite 9.8.2 Millennium Edition from here:

https://winworldpc.com/download/bb07d55 … 00008a0da4

Installed without issues in my W98SE VM using an ISO mounting application.
Avoided all the unneeded stuff (dictionaries, MM files, database application, etc.) and kept only Lotus 123 and Lotus WordPro.
Both seem to work perfectly well and WordPro can save in quite a few MS-Word and WP formats, down to the good old rtf.

I'll see further on if can run properly on my Devuan Wine installation and set it up there.
If it works for me, it will finally be good-bye to the bloated mess LO is.

Best,

A.

Last edited by Altoid (2022-03-17 13:44:20)

Offline

#7 2022-03-18 16:18:14

pcalvert
Member
Registered: 2017-05-15
Posts: 215  

Re: Important - log4j exploit alarm affecting Linux

I have LibreOffice installed and a search for "log4j" found nothing. However, I am selective about what I install and don't allow software to install recommended packages by default. It looks like I installed LibreOffice Writer and then later installed LibreOffice Math. Those are the only parts of LibreOffice that I installed because I really don't have a need for the rest of it. Because of LibreOffice's bloat, I've long preferred to use AbiWord and Gnumeric instead.

My result:

$ apt list | grep installed | grep java

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

javascript-common/oldstable,now 11 all [installed,automatic]
libjavascriptcoregtk-4.0-18/oldstable-security,now 2.34.6-1~deb10u1 amd64 [installed,automatic]

Here's another option worth considering:
https://portableapps.com/apps/office/li … legacy-5.4

I sometimes use that in a Windows XP VM.


Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Another one is called Luxxle.

Offline

#8 2022-03-19 11:56:15

Altoid
Member
Registered: 2017-05-07
Posts: 1,581  

Re: Important - log4j exploit alarm affecting Linux

Hello:

pcalvert wrote:

... LibreOffice installed and a search for "log4j" found nothing.

I got rid of it by purging libreoffice-nlpsolver and libreoffice-report-builder.

pcalvert wrote:

... don't allow software to install recommended packages ...

I followed fsmithred's advice and set up a system wide block for any and all recommends:
https://dev1galaxy.org/viewtopic.php?pid=35176#p35176

pcalvert wrote:

... installed LibreOffice Writer ...

I use Writer, Calc and Draw quite often.
But none of the crap that subreptitiously also comes with the stock installation.

By weeding out a lot of recommends, my java load has been somewhat reduced:

~$ apt list | grep installed | grep -i java
ca-certificates-java/oldstable,oldstable,now 20190405 all [installed,automatic]
java-common/oldstable,oldstable,now 0.71 all [installed,automatic]
javascript-common/oldstable,oldstable,now 11 all [installed,automatic]
libatk-wrapper-java-jni/oldstable,now 0.33.3-22+deb10u1 amd64 [installed,automatic]
libatk-wrapper-java/oldstable,oldstable,now 0.33.3-22+deb10u1 all [installed,automatic]
libel-api-java/oldstable,oldstable,now 3.0.0-2+deb10u1 all [installed,automatic]
libjavascriptcoregtk-4.0-18/oldstable-security,now 2.34.6-1~deb10u1 amd64 [installed,automatic]
libjsp-api-java/oldstable,oldstable,now 2.3.4-2+deb10u1 all [installed,automatic]
libreoffice-java-common/oldstable,oldstable,now 1:6.1.5-3+deb10u7 all [installed]
libservlet-api-java/oldstable,oldstable,now 4.0.1-2 all [installed,automatic]
libservlet3.1-java/oldstable,oldstable,now 1:4.0.1-2 all [installed]
libwebsocket-api-java/oldstable,oldstable,now 1.1-1+deb10u1 all [installed,automatic]
groucho@devuan:~$ 

Most (not all) due to LO.
To be quite honest, I'd rather use Lotus 123 than Calc or Excel and a standalone Word 6.0 instead of Writer.

I recently installed Lotus Smart Suite 9.8.2 on a XPSP3 VM.
I was then reminded of how the installer provided you with the means of choosing exactly what parts of the Suite you wanted to install.
Cannot understand how Linux, so much choice oriented, did not take up on that basic idea.

---------------------------------------------------------------------------------------------------------------------
I think Linux packagers should look back and take note of that important feature.
---------------------------------------------------------------------------------------------------------------------

pcalvert wrote:

... long preferred to use AbiWord and Gnumeric instead.

I keep/maintain few essential spreadsheets that have been growing/evolving over the last 20 years.
Originally in *.xls format, I keep them that way and run the risk of using LO to maintain them instead of using Excel in a VM.
Had a few unpleasant glitches at the start but they have been fixed.

Hopefully these spreadsheets will not be needed in a year's time.
Then I will see about ditching Calc/Writer to try gnumeric and AbiWord.

Thank you for your input.

Best,

A.

Last edited by Altoid (2022-03-19 11:59:21)

Offline

Board footer