Fix bash failure step by step

Fix bash failure step by step

After the discovery of a new vulnerability found in the Linux BASH shell, and the seriousness of it and the number of affected systems, we indicate how to fix it.

 

The problem is that at this time, there are not yet posted any bug free version. At least at the time of this writing. So Linux update packages with apt-get utility or yum will not provide the solution. So we patch it from the source code. It’s okay, sounds very radical, but they are only 5 minutes.

 

How to know if my system is affected

Easy, go to the console and run this command:

 env x='() { :;}; echo vulnerable' bash -c "echo bash test"

If the system is vulnerable get this response:

vulnerable

bash test

 

otherwise, you will see this message in the console:

bash: warning: x: ignoring function definition attempt
bash: error importing the definition of the function for `x '
bash test

That means that you tried to run unauthorized code, and the system has not allowed it.

 

Fix bash failure step by step.

 

First, we will download the source code from the GNU repository to the folder /usr/src of your linux.

To do this, run from the console:

cd /usr/src

wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz

 

Then download the patch posted:

wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025

As Michael Eager says, we have to download all the previous patches, because the source code of bash is at level 0, and the ShellSock bugs is at level 25.

Now, we download all previous patches:

wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-001
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-002
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-003

Until last patch
 

Unzip the source of bash 4.3:

tar -xvzf bash-4.3.tar.gz

So we create the /usr/src/bash-4.3 folder.

Copy all the patches to the folder in the source:

cp bash43-* bash-4.3/

Access to bash-4.3:

cd bash-4.3

and run the patch installation pacth by patch:

patch -p0 -i bash43-001
patch -p0 -i bash43-002
patch -p0 -i bash43-003

Until last patch. At this moment, it is bash43-026.
Then compile the new bash just patched. Run these commands:

./configure

make

make install

 

My Debian has a habit of placing system files “at Debian way”. So I have to copy them to their correct places. Anyway, even if you have another Linux distribution, it is good to copy them, but check the correct place. To do this, rename the old bash as bash.old and remove the execute permissions to avoid problems:

cp /bin/bash /bin/bash.old

chmod -x /bin/bash.old

cp /usr/bin/bashbug /usr/bin/bashbug.old

chmod -x /usr/bin/bashbug.old

 

Now copy the new files. If you have followed these instructions step by step, we will be located in /usr/src/bash-4.3:

cp -f bash /bin/

cp bashbug /usr/bin/

cp bashversion /bin/

 

And it’s done.

 

To check it, open another console and login again. Upon entering, you will run the new bash.

Run these commands to check that all is well:

bashversion

and you must see this message:

4.3.26(1)-release

 

Finally to check that our system is not vulnerable to failure bash, execute:

env x='() { :;}; echo vulnerable' bash -c "echo bash test"

 

And if everything is done well, we will see this message:

bash: warning: x: ignoring function definition attempt
bash: error importing the definition of the function for `x '
bash test

 

Comparte este artículo

Comentarios (7)

  • Mark Shadley

    I’ve applied patches 1-27, did make && make install

    The shellshock bug appears to be gone, but now bash doesn’t source .bashrc or .bash_profile in the users home directory.

    Anyone know of a fix for that ?

    Thank you in advance!

    30 septiembre, 2014 at 02:42
    • Mark Shadley

      edit:

      Did ./configure && make && make install. logged out and back in.

      30 septiembre, 2014 at 02:44
      • Mark Shadley

        Nevermind. I compiled it with –enable-restricted

        30 septiembre, 2014 at 02:58
  • FIlip

    You can simplify the download and patching with

    mkdir -p /usr/src/bash43 && cd $_

    wget -q -O – http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz | tar -xzf – –strip 1 -C /usr/src/bash43

    for num in {1..26}
    do
    wget -q “http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf ‘%03d’ $num)”
    patch -p0 -i bash43-$(printf ‘%03d’ $num)
    done

    ./configure && make && make install

    28 septiembre, 2014 at 10:43
  • JL Navarro en Zinetik Consultores

    At the time of update this article, last patch available is #26. So we will have to patch until ‘bash43-026’.

    27 septiembre, 2014 at 11:17
  • Michael Eager

    The fix for the ShellShock bug is patch 25. The patch verifies the it is being applied after patch 24.

    When you download the bash source, the patch level is zero. Before you can apply patch 25, you need to apply all 24 previous patches.

    26 septiembre, 2014 at 23:16
    • JL Navarro en Zinetik Consultores

      Micheal, you are right! The article has been update now.
      Thank you very much for your notice.

      27 septiembre, 2014 at 11:15

Comentarios cerrados.