After the discovery of a new vulnerability found in the Linux BASH shell, and the seriousness of it and the number of affected systems, we indicate how to fix it.

  The problem is that at this time, there are not yet posted any bug free version. At least at the time of this writing. So Linux update packages with apt-get utility or yum will not provide the solution. So we patch it from the source code. It’s okay, sounds very radical, but they are only 5 minutes.  

How to know if my system is affected

Easy, go to the console and run this command:
 env x='() { :;}; echo vulnerable' bash -c "echo bash test"
If the system is vulnerable get this response:
vulnerable

bash test
  otherwise, you will see this message in the console:
bash: warning: x: ignoring function definition attempt
bash: error importing the definition of the function for `x '
bash test
That means that you tried to run unauthorized code, and the system has not allowed it.  

Fix bash failure step by step.

  First, we will download the source code from the GNU repository to the folder /usr/src of your linux. To do this, run from the console:
cd /usr/src

wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
  Then download the patch posted:
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025

As Michael Eager says, we have to download all the previous patches, because the source code of bash is at level 0, and the ShellSock bugs is at level 25.
Now, we download all previous patches:
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-001
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-002
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-003
Until last patch   Unzip the source of bash 4.3:
tar -xvzf bash-4.3.tar.gz
So we create the /usr/src/bash-4.3 folder. Copy all the patches to the folder in the source:
cp bash43-* bash-4.3/
Access to bash-4.3:
cd bash-4.3
and run the patch installation pacth by patch:
patch -p0 -i bash43-001
patch -p0 -i bash43-002
patch -p0 -i bash43-003
Until last patch. At this moment, it is bash43-026. Then compile the new bash just patched. Run these commands:
./configure

make

make install
  My Debian has a habit of placing system files «at Debian way». So I have to copy them to their correct places. Anyway, even if you have another Linux distribution, it is good to copy them, but check the correct place. To do this, rename the old bash as bash.old and remove the execute permissions to avoid problems:
cp /bin/bash /bin/bash.old

chmod -x /bin/bash.old

cp /usr/bin/bashbug /usr/bin/bashbug.old

chmod -x /usr/bin/bashbug.old
  Now copy the new files. If you have followed these instructions step by step, we will be located in /usr/src/bash-4.3:
cp -f bash /bin/

cp bashbug /usr/bin/

cp bashversion /bin/
  And it’s done.   To check it, open another console and login again. Upon entering, you will run the new bash. Run these commands to check that all is well:
bashversion
and you must see this message:
4.3.26(1)-release
  Finally to check that our system is not vulnerable to failure bash, execute:
env x='() { :;}; echo vulnerable' bash -c "echo bash test"
  And if everything is done well, we will see this message:
bash: warning: x: ignoring function definition attempt
bash: error importing the definition of the function for `x '
bash test
 

7 thoughts on “Fix bash failure step by step

  1. The fix for the ShellShock bug is patch 25. The patch verifies the it is being applied after patch 24.

    When you download the bash source, the patch level is zero. Before you can apply patch 25, you need to apply all 24 previous patches.

  2. At the time of update this article, last patch available is #26. So we will have to patch until ‘bash43-026’.

  3. You can simplify the download and patching with

    mkdir -p /usr/src/bash43 && cd $_

    wget -q -O – http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz | tar -xzf – –strip 1 -C /usr/src/bash43

    for num in {1..26}
    do
    wget -q «http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf ‘%03d’ $num)»
    patch -p0 -i bash43-$(printf ‘%03d’ $num)
    done

    ./configure && make && make install

  4. I’ve applied patches 1-27, did make && make install

    The shellshock bug appears to be gone, but now bash doesn’t source .bashrc or .bash_profile in the users home directory.

    Anyone know of a fix for that ?

    Thank you in advance!

Comments are closed.