Bash Bug (Shellshock) and how to patch it.

Bash Bug (Shellshock) and how to patch it.

Bash Bug (Shellshock) and how to patch it.

There’s been a huge uproar about the bug that was found in bash recently. The bug has gone unnoticed since 1989. So it gets a little difficult to patch on legacy systems which I found on our network. Ubuntu 10 and up is straight-forward to update and takes little to no time. I heard some people complaining about having to patch 11 servers… try an environment like the one we run in our office and for our websites. Which borders on close to 300 Linux installs. Only a fraction of which didn’t need to be patched. I’d recommend using a cluster SSH session to deploy this fix to multiple servers. If you’ve got Puppet then you’ve got it easy, just ensure that your bash package is set to ensure => latest and you’re good to go.

I’ll be doing this patch on Ubuntu. It will work for Ubuntu 10 and 12 LTS. Also most likely any Ubuntu older than version 10.

Test if you are affected, most likely you are.

root@web01:~# export testbug='() { :;}; echo VULNERABLE'
root@web01:~# bash -c "echo Hello"
VULNERABLE
Hello

If you see the above text then your system needs to be updated.

root@web01:~# apt-get update && apt-get install bash
root@web01:~# export testbug='() { :;}; echo VULNERABLE'
root@web01:~# bash -c "echo Hello"
Hello

Now comes the hard part, installing the patched bash on a legacy system. In my case it was Ubuntu 8.04 (tested on Ubuntu 6.10 and the fix works there too):

Download the package to anywhere on your system that you’d like, I just put it in my root directory and removed it after.

root@web01:~# cd /root
root@web01:~# wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz

Download the latest patches for bash:

root@web01:~# for i in $(seq -f "%03g" 0 25); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done

Untar the bash package and cd to the directory that was just created.

root@web01:~# tar zxvf bash-4.3.tar.gz
root@web01:~# cd bash-4.3

Next we run the patching process on the bash package that we downloaded.

root@web01:~/bash-4.3# for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done

The final step is to make and install the patched bash

root@web01:~/bash-4.3# ./configure && make && make install

If you wish you can remove all the files that just cluttered up the directory

root@web01:~/bash-4.3# cd ..
root@web01:~# rm -r bash* && rm bash*

I know this bug affects more than just Linux, Mac in particular is vulnerable to this bug. I’ll add the fix for that when I get a chance to sit down at my Mac.
Reference https://news.ycombinator.com/item?id=8364385

Leave a Reply

Your email address will not be published. Required fields are marked *