BASH Fix

BASH SHELLSHOCK REMOTE CODE EXECUTION VULNERABILITY CVE-2014-6271
Introduction

http://www.ubuntu.com/usn/usn-2362-1/

A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems – and, thanks to their ubiquity, the internet at large.

It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.

The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that use or invoke Bash in any way – including any child processes spawned by the scripts – are vulnerable to remote-code injection. OpenSSH and some DHCP clients are also affected on machines that use Bash.

Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk – Dash isn't vulnerable, but busted versions of Bash may well be present on the systems anyway. It's essential you check the shell interpreters you're using, and any Bash packages you have installed, and patch if necessary.

The Security Patch for CVE-2014-7169 has been released as a standard security update. There is no need to add additional ppa's to receive this patch. Only the following is needed.

To ensure you have patched bash correctly, run the following command...

dpkg -s bash | grep Version

If you are on Ubuntu 14.04 LTS, you should see an output of:

Version: 4.3-7ubuntu1.4

If you are on Ubuntu 12.04 LTS, your output should be:

Version: 4.2-2ubuntu2.3

If you are on Ubuntu 10.04 LTS, your output should be:

Version: 4.1-2ubuntu3.1

If you are on Raspbian GNU/Linux 7 (wheezy), your output should be:

Version: 4.2+dfsg-0.1+deb7u3

Instructions

Centos
sudo yum update env x=' { :;}; echo vulnerable' bash -c 'echo completed' bash --version

Red Hat
sudo yum update env x=' { :;}; echo vulnerable' bash -c 'echo completed' bash --version

Debian
sudo apt-get update sudo apt-get install --only-upgrade bash env x=' { :;}; echo vulnerable' bash -c 'echo completed' bash --version

Raspian (Raspberry Pi)
sudo apt-get update sudo apt-get install --only-upgrade bash env x=' { :;}; echo vulnerable' bash -c 'echo completed' bash --version

Ubuntu
sudo apt-get update sudo apt-get install --only-upgrade bash env x=' { :;}; echo vulnerable' bash -c 'echo completed' bash --version dpkg -s bash | grep Version

Ubuntu 10.10 11.04 12.10 13.04 13.10

USE THIS AT YOUR OWN RISK. IT WORKS BUT YOU SHOULD REALLY UPGRADE YOUR DISTRO!!!

Also, I found that you had to find the .deb file and install it again, because it would display errors and get confused about versions and not fully finish the update...

dpkg -s bash | grep Version Version: 4.3-7ubuntu1.4 Config-Version: 4.2-5ubuntu3

So, we find the .deb file and run the debian installer again...

sudo dpkg -i /var/cache/apt/archives/bash_4.3-7ubuntu1.4_amd64.deb (Reading database ... 131036 files and directories currently installed.) Preparing to replace bash 4.3-7ubuntu1.4 (using .../bash_4.3-7ubuntu1.4_amd64.deb) ... Unpacking replacement bash ... Setting up bash (4.3-7ubuntu1.4) ... update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode Processing triggers for install-info ...

...and now we get no errors...

dpkg -s bash | grep Version Version: 4.3-7ubuntu1.4

OK? Now read on...

LATEST: 2014-09-28

I have successfully downloaded and installed JUST the .deb file without having to edit the sources list from the ORIGINAL LINK below.

Here is the procedure with my notes...

1. Check to see what architecture your system is using (either amd64 or i686)...

sudo uname -a

2. Download the currently installed version of BASH as a Debian Package file (.deb) into the directory you are in...

sudo aptitude download bash

3. Download the new version of BASH from the Ubuntu web site (this example is amd64)...

sudo wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6414574/+files/bash_4.3-7ubuntu1.4_amd64.deb

4. Perform a test of installing the new version of BASH using that downloaded file and check for any errors...

sudo dpkg -i --simulate bash_4.3-7ubuntu1.4_amd64.deb

5. If all is well, now install the new version of BASH...

sudo dpkg -i bash_4.3-7ubuntu1.4_amd64.deb

6. Confirm the new version...

sudo dpkg -s bash |grep Version

7. Confirm the vulnerability test passes...

env X=" { :;} ; echo busted" /bin/sh -c "echo completed"

8. Restart all services that use BASH (as needed on your system)...

sudo service ssh restart sudo service apache2 restart sudo service dhcpd restart

9. Breath sigh of relief :)


 * 14.04 (trusty) amd64 - https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6414574/+files/bash_4.3-7ubuntu1.4_amd64.deb
 * 14.04 (trusty) i386 - https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6414577/+files/bash_4.3-7ubuntu1.4_i386.deb
 * 14.04 (trusty) all - https://launchpad.net/ubuntu/trusty/+package/bash
 * 12.04 (precise) amd64 - https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6414580/+files/bash_4.2-2ubuntu2.5_amd64.deb
 * 12.04 (precise) i386 - https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6414583/+files/bash_4.2-2ubuntu2.5_i386.deb
 * 12.04 (precise) all - https://launchpad.net/ubuntu/precise/+package/bash

ORIGINAL LINK

http://cloudgames.com/blog/fix-bash-exploit-old-new-releases-ubuntu-apt-get/

Gentoo
su - root

All Bash 3.1 users should upgrade to the latest version:

emerge --sync emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p18" env x=' { :;}; echo vulnerable' bash -c 'echo completed' bash --version All Bash 3.2 users should upgrade to the latest version:

emerge --sync emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p52" env x=' { :;}; echo vulnerable' bash -c 'echo completed' bash --version

All Bash 4.0 users should upgrade to the latest version:

emerge --sync emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p39" env x=' { :;}; echo vulnerable' bash -c 'echo completed' bash --version All Bash 4.1 users should upgrade to the latest version:

emerge --sync emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p12" env x=' { :;}; echo vulnerable' bash -c 'echo completed' bash --version All Bash 4.2 users should upgrade to the latest version:

emerge --sync emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p48" env x=' { :;}; echo vulnerable' bash -c 'echo completed' bash --version

HOWEVER, IF YOUR GENTOO PORTAGE TREE IS VERY OLD, OR YOU DO NOT WANT TO UPDATE ALL YOUR SOFTWARE

su - root mkdir -p /usr/local/portage/app-shells/bash cd /usr/local/portage/app-shells/bash wget -O bash-4.2_p48-r1.ebuild http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-shells/bash/bash-4.2_p48-r1.ebuild?revision=1.4 cp -avrf /usr/portage/app-shells/bash/files. cd files/ wget http://mirrors.163.com/gentoo-portage/app-shells/bash/files/bash-4.2-execute-job-control.patch wget http://mirrors.163.com/gentoo-portage/app-shells/bash/files/bash-4.2-parallel-build.patch wget http://mirrors.163.com/gentoo-portage/app-shells/bash/files/bash-4.2-no-readline.patch wget http://mirrors.163.com/gentoo-portage/app-shells/bash/files/bash-4.2-read-retry.patch wget http://mirrors.163.com/gentoo-portage/app-shells/bash/files/bash-4.2-speed-up-read-N.patch wget http://mirrors.163.com/gentoo-portage/app-shells/bash/files/bash-eol-pushback.patch chown portage:portage bash* eix-update cd .. ebuild bash-4.2_p48-r1.ebuild digest emerge --fetchonly --verbose --update app-shells/bash eix -I bash emerge --ask --oneshot --verbose --update app-shells/bash eix -I bash env x=' { :;}; echo vulnerable' bash -c 'echo completed' bash --version

And, if necessary restart the services which may use BASH...

/etc/init.d/sshd restart /etc/init.d/apache2 restart /etc/init.d/dhcpd restart

Links
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

https://forums.gentoo.org/viewtopic-t-1000670.html

http://packages.gentoo.org/package/app-shells/bash