Fix bash failure step by step
After the discovery of a new vulnerability found in the Linux BASH shell, and the seriousness of it and the number of affected systems, we indicate how to fix it.
The problem is that at this time, there are not yet posted any bug free version. At least at the time of this writing. So Linux update packages with apt-get utility or yum will not provide the solution. So we patch it from the source code. It’s okay, sounds very radical, but they are only 5 minutes.
How to know if my system is affected
Easy, go to the console and run this command:
env x='() { :;}; echo vulnerable' bash -c "echo bash test"
If the system is vulnerable get this response:
vulnerable bash test
otherwise, you will see this message in the console:
bash: warning: x: ignoring function definition attempt bash: error importing the definition of the function for `x ' bash test
That means that you tried to run unauthorized code, and the system has not allowed it.
Fix bash failure step by step.
First, we will download the source code from the GNU repository to the folder /usr/src of your linux.
To do this, run from the console:
cd /usr/src wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
Then download the patch posted:
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025
As Michael Eager says, we have to download all the previous patches, because the source code of bash is at level 0, and the ShellSock bugs is at level 25.
Now, we download all previous patches:
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-001 wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-002 wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-003
Until last patch
Unzip the source of bash 4.3:
tar -xvzf bash-4.3.tar.gz
So we create the /usr/src/bash-4.3 folder.
Copy all the patches to the folder in the source:
cp bash43-* bash-4.3/
Access to bash-4.3:
cd bash-4.3
and run the patch installation pacth by patch:
patch -p0 -i bash43-001 patch -p0 -i bash43-002 patch -p0 -i bash43-003
Until last patch. At this moment, it is bash43-026.
Then compile the new bash just patched. Run these commands:
./configure make make install
My Debian has a habit of placing system files “at Debian way”. So I have to copy them to their correct places. Anyway, even if you have another Linux distribution, it is good to copy them, but check the correct place. To do this, rename the old bash as bash.old and remove the execute permissions to avoid problems:
cp /bin/bash /bin/bash.old chmod -x /bin/bash.old cp /usr/bin/bashbug /usr/bin/bashbug.old chmod -x /usr/bin/bashbug.old
Now copy the new files. If you have followed these instructions step by step, we will be located in /usr/src/bash-4.3:
cp -f bash /bin/ cp bashbug /usr/bin/ cp bashversion /bin/
And it’s done.
To check it, open another console and login again. Upon entering, you will run the new bash.
Run these commands to check that all is well:
bashversion
and you must see this message:
4.3.26(1)-release
Finally to check that our system is not vulnerable to failure bash, execute:
env x='() { :;}; echo vulnerable' bash -c "echo bash test"
And if everything is done well, we will see this message:
bash: warning: x: ignoring function definition attempt bash: error importing the definition of the function for `x ' bash test
Comentarios (7)
I’ve applied patches 1-27, did make && make install
The shellshock bug appears to be gone, but now bash doesn’t source .bashrc or .bash_profile in the users home directory.
Anyone know of a fix for that ?
Thank you in advance!
30 septiembre, 2014 at 02:42edit:
Did ./configure && make && make install. logged out and back in.
30 septiembre, 2014 at 02:44Nevermind. I compiled it with –enable-restricted
30 septiembre, 2014 at 02:58You can simplify the download and patching with
mkdir -p /usr/src/bash43 && cd $_
wget -q -O – http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz | tar -xzf – –strip 1 -C /usr/src/bash43
for num in {1..26}
do
wget -q “http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf ‘%03d’ $num)”
patch -p0 -i bash43-$(printf ‘%03d’ $num)
done
./configure && make && make install
28 septiembre, 2014 at 10:43At the time of update this article, last patch available is #26. So we will have to patch until ‘bash43-026’.
27 septiembre, 2014 at 11:17The fix for the ShellShock bug is patch 25. The patch verifies the it is being applied after patch 24.
When you download the bash source, the patch level is zero. Before you can apply patch 25, you need to apply all 24 previous patches.
26 septiembre, 2014 at 23:16Micheal, you are right! The article has been update now.
27 septiembre, 2014 at 11:15Thank you very much for your notice.
Comentarios cerrados.