Hacker News new | comments | show | ask | jobs | submit login

Here's how to patch Ubuntu 8.04 or anything where you have to build bash from source:

  #assume that your sources are in /src
  cd /src
  wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
  #download all patches
  for i in $(seq -f "%03g" 0 25); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
  tar zxvf bash-4.3.tar.gz 
  cd bash-4.3
  #apply all patches
  for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
  #build and install
  ./configure && make && make install

Not sure if Ubuntu 8.04 with custom built bash will be upgradable to 10.04??



Or you could just download a bash-static deb from 10.04 (https://launchpad.net/ubuntu/lucid/+package/bash-static) and overwrite /bin/bash. It shouldn't cause any issues when upgrading, though you could back up the original.

8.04 is unsupported, and situations like this justify the effort of upgrading it to the latest LTS.


Enter this PoC in your terminal:

env var='() {(a)=>\' bash -c "echo date"; cat echo

A target patched for CVE-2014-6271 will output the date upon executing that PoC (Proof of Concept):

bash: var: line 1: syntax error near unexpected token `='

bash: var: line 1: `'

bash: error importing function definition for `var'

Thu Sep 25 17:52:32 EDT 2014

There is a new update (#26) for bash 4.3 which fixes CVE-2014-7169 (the old bash update was still flawed/incomplete as demonstrated above by executing the PoC). So, taking into account what everyone before contributed, the new complete patch code would be:

mkdir src

cd src

wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz

#download all patches

for i in $(seq -f "%03g" 0 26); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done

tar zxvf bash-4.3.tar.gz

cd bash-4.3

#apply all patches

for i in $(seq -f "%03g" 0 26);do patch -p0 < ../bash43-$i; done

#build and install

sudo ./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc && sudo make && sudo make install

Once patched for CVE-2014-7169 the previous PoC should not return the date anymore:

bash: var: line 1: syntax error near unexpected token `='

bash: var: line 1: `'

bash: error importing function definition for `var'

date

cat: echo: No such file or directory

And thanks to all previous contributors!


This sequence failed for me because my Ubuntu 8.04 didn't have patch installed.

I found a source copy at https://launchpad.net/ubuntu/+source/patch/2.5.9-4 and built/installed that first. The resulting fix appears to work (after copying resulting bash to /bin as noted elsewhere).


I had the same problem. I needed to install patch, make and gcc. So I downloaded the iso from http://old-releases.ubuntu.com/releases/hardy/ and then edited /etc/apt/sources.list so my server would look on the cd for the packages. I could then use 'apt-get install' to install the required programs. I also found that the 'do' command was throwing up an error. Rather than work out why I just manually downloaded the 26 patches and then manually applied them as well. Yeah ok I'm a noob but it worked.


I am running Ubuntu 10.10 but patch is not installed. Can someone explain the commands needed to download, build, and install patch as mentioned above. Thanks for any help.


I found out how to install the patch package here:

http://askubuntu.com/questions/529233/how-do-i-install-patch...


This won't work; you need

sudo make install

Given the circumstances, a lot of people without much software experience will be reading this message and simply copying and pasting; it's worth getting it right.

On Ubuntu, you'll probably want to ./configure --prefix=/usr/bin . If you install in /usr/local/bin (the default), bash will effectively no longer be updated by apt-get.


That should probably have been ./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc

Once upon a time, distributions documented their build configurations. Or maybe it's that I used to only use FreeBSD.


That script assumes that it is executed as root. There's indeed a possible problem with /usr/local/bin/bash vs. /bin/bash with Ubuntu update from 8.04 to 10.04 (since Ubuntu 8.04 itself is no longer updateable), thus I asked that question in the end of my post. To mitigate it, one can just add:

  mv /usr/local/bin/bash /bin
as the last line.


I tried this and realized, it installs the binary under /usr/local/bin. you'll need to make a symlink or preferably follow ricilake's advice. if you forget to do this and logout, you may never log back in. Btw, the path to the bash in ubuntu is /bin/bash not /usr/bin/bash


I just wanted to say, "Thanks!"

I successfully patched my 8.04 server and passed the test.

I used sudo ./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc && sudo make && sudo make install after retrieving and patching the bash build files.


Why is my bash version still 4.2.45(1) after this?

    # bash --version
    bash --version
    GNU bash, version 4.2.45(1)-release (x86_64-pc-linux-gnu)
Though it seems the vulnerability got fixed.


Hi, I have tried to follow the instruction given by rtmdivine to patch for CVE-2014-6271 but at the end of the process I still get the date. Any suggestions? Thanks


In Debian Lenny you should also do at the end sudo rm /bin/bash && sudo ln -s /usr/local/bin/bash /bin/bash


need to wget all the patches including #26 to fix the 2nd bug reported. instead why not just wget the whole dir of patches..

wget -r 1 -nH -nd -np http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ && rm \\.sig index.html cd bash-4.3; for i in ../bash43-*; do patch -p0 < $i; done

etc


wtf. this damn form ate my 's and stuff.

try again:

wget -r 1 -nH -nd -np http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ && rm \.sig index.html\*

should be no \'s (or \\s) before the *'s above.


I give up this thing is eating asterisks, cant type em


Does this fix CVE-2014-7169 as well, or just CVE-2014-6271?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: