shellshock - how to patch bash on old mandriva leased server

[Guest]

My leased server runs an old version of linux, and an ancient version of the bash shell. It is vulnerable to the 'shellshock' problem.

It has been too many years since I did any significant systems administration. Can someone advise on how to patch bash on this machine? rpm, urpmi, apt-get ... ? Please help!

System details follow.

Code: Select all

SHELL> uname -a
Linux [hostname omitted] 2.6.12-15mdk #1 Mon Jan 9 17:08:48 MST 2006 i686 Intel(R) Celeron(R) CPU 2.66GHz unknown GNU/Linux

SHELL> cat /etc/issue
Mandriva Linux release 2006.0 (Official) for i586
Kernel 2.6.12-15mdk on an i686 / \l

SHELL> rpm -qi bash
Name        : bash                         Relocations: (not relocatable)
Version     : 3.0                               Vendor: Mandriva
Release     : 6mdk                          Build Date: Sun 12 Jun 2005 04:02:28 PM PDT
Install Date: Fri 10 Feb 2006 12:47:06 AM PST      Build Host: n2.mandrakesoft.com
Group       : Shells                        Source RPM: bash-3.0-6mdk.src.rpm
Size        : 1004604                          License: GPL
Signature   : DSA/SHA1, Mon 12 Sep 2005 08:24:47 AM PDT, Key ID e7898ae070771ff3
Packager    : Guillaume Rousse <[email protected]>
URL         : http://www.gnu.org/software/bash/bash.html
Summary     : The GNU Bourne Again shell (bash)
Description : ...

[kgc]

You've got a couple of choices, but the easiest may be to just download and compile an new version of bash. You can probably safely upgrade to a newer version but if you want to be conservative you could stay with 3.0. Just download the release tar.gz and all of the patches into a directory.

wget http://ftp.gnu.org/gnu/bash/bash-3.0.tar.gz
wget -r --no-parent http://ftp.gnu.org/gnu/bash/bash-3.0-patches/

tar -xzvf bash-3.0.tar.gz
cd bash-3.0

for patch in `ls ../ftp.gnu.org/gnu/bash/bash-3.0-patches/* | grep -v sig`; do cat $patch | patch; done

Then, since the official patches don't fix the problem yet, add this patch by hand

http://lists.gnu.org/archive/html/bug-b ... oov1.patch

Then run ./configure && make

You can probably just copy the resulting bash to /bin/bash (copy the old one!) after making sure that you can execute it and get a valid shell and have tested that the patches applied correctly.

[famweb]

It chokes for me performing the patch. Same as above, I'm on Mandriva 2006.0, Sonic COLO. I'm not really sure how to proceed. Any suggestions? I am seeing:

Code: Select all

[root@cim-sms /usr/local/src/bash-3.0]# for patch in `ls ../ftp.gnu.org/gnu/bash/bash-3.0-patches/* | grep -v sig`; do cat $patch | patch; done
patching file arrayfunc.c
patching file subst.c
patching file variables.c
patching file pcomplete.c
patching file array.c
patching file patchlevel.h
can't find file to patch at input line 150
Perhaps you should have used the -p or --strip option?
The text leading up to this was:
--------------------------
|*** ../bash-3.0/tests/dbg-support.tests        Tue Mar 25 15:33:03 2003
|--- tests/dbg-support.tests    Tue Aug  3 23:09:29 2004
--------------------------
File to patch:

[kgc]

That should be okay, the last few failed patches are the indexes.

You could repeat the tar and patches like this:

for patch in `ls ../ftp.gnu.org/gnu/bash/bash-3.0-patches/* | grep -v sig | grep -v index`; do cat $patch | patch; done

[Guest]

I am trying to follow kgc's method to patch bash 3.2 on Mandriva 2009.1, and am getting an error

Code: Select all

$ for patch in `ls ../ftp.gnu.org/gnu/bash/bash-3.2-patches/* | grep -v sig | grep -v index`; do cat $patch | patch; done
patching file parse.y
patching file patchlevel.h
can't find file to patch at input line 20
Perhaps you should have used the -p or --strip option?
The text leading up to this was:
--------------------------
|			     BASH PATCH REPORT
|			     =================
|
|Bash-Release: 3.2
|Patch-ID: bash32-002
|
|Bug-Reported-by:	Jim Gifford <[email protected]>
|Bug-Reference-ID:	<[email protected]>
|Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2006-10/msg00082.html
|
|Bug-Description:
|
|An incorrect encoding specification in the Content-Type header causes msgfmt
|to fail, which causes `make install' to fail.
|
|Patch:
|
|*** ../bash-3.2/po/ru.po        Tue Jan 10 17:51:03 2006
|--- po/ru.po    Mon Oct 16 15:13:23 2006
--------------------------
File to patch:

How should I proceed? Thanks.

[Guest]

for patch in `ls ../ftp.gnu.org/gnu/bash/bash-3.0-patches/* | grep -v sig`; do cat $patch | patch; done

Try adding "-p2" to the patch command. Somthing like:

for patch in `ls ../ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-???`; do patch -p2 <$patch; done

[Guest]

Thanks, after using the recommended commans, I am still having trouble:

Code: Select all

$ for patch in `ls ../ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-???`; do patch -p2 <$patch; done
missing header for context diff at line 20 of patch
patching file parse.y
missing header for context diff at line 35 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
patching file po/ru.po
missing header for context diff at line 36 of patch
patching file patchlevel.h
missing header for context diff at line 21 of patch
patching file parse.y
missing header for context diff at line 134 of patch
patching file patchlevel.h
missing header for context diff at line 21 of patch
patching file subst.c
missing header for context diff at line 65 of patch
patching file tests/new-exp.right
missing header for context diff at line 84 of patch
patching file patchlevel.h
missing header for context diff at line 22 of patch
patching file builtins/printf.def
patching file lib/sh/snprintf.c
missing header for context diff at line 211 of patch
patching file patchlevel.h
patching file lib/readline/display.c
missing header for context diff at line 33 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
patching file jobs.c
missing header for context diff at line 41 of patch
patching file patchlevel.h
missing header for context diff at line 21 of patch
patching file findcmd.c
missing header for context diff at line 36 of patch
patching file patchlevel.h
patching file lib/sh/snprintf.c
missing header for context diff at line 49 of patch
patching file patchlevel.h
missing header for context diff at line 23 of patch
patching file pathexp.h
missing header for context diff at line 46 of patch
patching file pathexp.c
missing header for context diff at line 104 of patch
patching file subst.c
missing header for context diff at line 167 of patch
patching file execute_cmd.c
missing header for context diff at line 195 of patch
patching file patchlevel.h
missing header for context diff at line 24 of patch
patching file configure.in
missing header for context diff at line 53 of patch
patching file config-bot.h
missing header for context diff at line 87 of patch
patching file builtins/common.c
missing header for context diff at line 110 of patch
patching file configure
missing header for context diff at line 126 of patch
patching file patchlevel.h
missing header for context diff at line 24 of patch
patching file config.h.in
missing header for context diff at line 58 of patch
patching file builtins/printf.def
missing header for context diff at line 84 of patch
patching file patchlevel.h
patching file lib/readline/display.c
missing header for context diff at line 53 of patch
patching file patchlevel.h
missing header for context diff at line 21 of patch
patching file array.c
missing header for context diff at line 139 of patch
patching file array.h
missing header for context diff at line 149 of patch
patching file subst.c
missing header for context diff at line 295 of patch
patching file patchlevel.h
missing header for context diff at line 21 of patch
patching file execute_cmd.c
missing header for context diff at line 35 of patch
patching file subst.c
Hunk #1 succeeded at 4166 (offset 15 lines).
Hunk #2 succeeded at 4221 (offset 15 lines).
Hunk #3 succeeded at 4742 (offset 23 lines).
missing header for context diff at line 73 of patch
patching file subst.h
missing header for context diff at line 83 of patch
patching file patchlevel.h
patching file lib/readline/display.c
missing header for context diff at line 40 of patch
patching file patchlevel.h
patching file lib/readline/display.c
missing header for context diff at line 73 of patch
patching file patchlevel.h
missing header for context diff at line 21 of patch
patching file jobs.c
missing header for context diff at line 86 of patch
patching file patchlevel.h
patching file lib/readline/complete.c
patching file input.c
Hunk #1 FAILED at 522.
Hunk #2 FAILED at 529.
Hunk #3 FAILED at 579.
3 out of 3 hunks FAILED -- saving rejects to file input.c.rej
patching file lib/readline/isearch.c
patching file lib/readline/misc.c
patching file lib/readline/readline.c
patching file lib/readline/text.c
patching file lib/readline/vi_mode.c
missing header for context diff at line 331 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
patching file sig.c
missing header for context diff at line 48 of patch
patching file sig.h
missing header for context diff at line 58 of patch
patching file builtins/common.c
missing header for context diff at line 84 of patch
patching file subst.c
missing header for context diff at line 121 of patch
patching file arrayfunc.c
missing header for context diff at line 132 of patch
patching file expr.c
missing header for context diff at line 142 of patch
patching file variables.c
missing header for context diff at line 171 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
patching file parse.y
missing header for context diff at line 60 of patch
patching file patchlevel.h
missing header for context diff at line 21 of patch
patching file builtins/read.def
missing header for context diff at line 114 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
patching file subst.c
missing header for context diff at line 39 of patch
patching file patchlevel.h
patching file lib/readline/display.c
missing header for context diff at line 65 of patch
patching file patchlevel.h
patching file input.c
Hunk #1 FAILED at 134.
Hunk #2 FAILED at 254.
Hunk #3 FAILED at 378.
3 out of 3 hunks FAILED -- saving rejects to file input.c.rej
missing header for context diff at line 67 of patch
patching file patchlevel.h
missing header for context diff at line 27 of patch
patching file configure.in
missing header for context diff at line 42 of patch
patching file configure
missing header for context diff at line 57 of patch
patching file version.c
missing header for context diff at line 70 of patch
patching file patchlevel.h
patching file lib/readline/display.c
missing header for context diff at line 73 of patch
patching file patchlevel.h
patching file lib/readline/display.c
missing header for context diff at line 48 of patch
patching file patchlevel.h
missing header for context diff at line 21 of patch
patching file expr.c
missing header for context diff at line 40 of patch
patching file patchlevel.h
missing header for context diff at line 21 of patch
patching file execute_cmd.c
missing header for context diff at line 36 of patch
patching file patchlevel.h
patching file lib/readline/display.c
Hunk #1 succeeded at 1623 (offset 4 lines).
missing header for context diff at line 50 of patch
patching file patchlevel.h
patching file input.c
Hunk #1 FAILED at 155.
1 out of 1 hunk FAILED -- saving rejects to file input.c.rej
missing header for context diff at line 35 of patch
patching file patchlevel.h
missing header for context diff at line 21 of patch
patching file arrayfunc.c
missing header for context diff at line 36 of patch
patching file subst.c
missing header for context diff at line 75 of patch
patching file patchlevel.h
patching file lib/sh/getcwd.c
missing header for context diff at line 62 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
patching file subst.c
Hunk #1 succeeded at 4721 with fuzz 2.
missing header for context diff at line 40 of patch
patching file jobs.c
missing header for context diff at line 147 of patch
patching file patchlevel.h
missing header for context diff at line 21 of patch
patching file execute_cmd.c
missing header for context diff at line 32 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
patching file subst.c
missing header for context diff at line 53 of patch
patching file subst.h
missing header for context diff at line 68 of patch
patching file parse.y
missing header for context diff at line 83 of patch
patching file bashline.c
missing header for context diff at line 98 of patch
patching file patchlevel.h
missing header for context diff at line 23 of patch
patching file builtins/read.def
missing header for context diff at line 68 of patch
patching file patchlevel.h
missing header for context diff at line 23 of patch
patching file execute_cmd.c
missing header for context diff at line 39 of patch
patching file shell.h
missing header for context diff at line 49 of patch
patching file version.c
missing header for context diff at line 61 of patch
patching file builtins/shopt.def
missing header for context diff at line 107 of patch
patching file doc/bash.1
missing header for context diff at line 122 of patch
patching file doc/bashref.texi
Hunk #1 succeeded at 3607 (offset -454 lines).
missing header for context diff at line 136 of patch
patching file tests/shopt.right
missing header for context diff at line 163 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
patching file array.c
missing header for context diff at line 35 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
patching file bashhist.c
missing header for context diff at line 43 of patch
patching file builtins/set.def
missing header for context diff at line 97 of patch
patching file builtins/evalstring.c
missing header for context diff at line 130 of patch
patching file bashhist.h
missing header for context diff at line 142 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
patching file expr.c
missing header for context diff at line 36 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
patching file variables.c
missing header for context diff at line 50 of patch
patching file patchlevel.h
patching file lib/readline/display.c
missing header for context diff at line 138 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
patching file execute_cmd.c
missing header for context diff at line 38 of patch
patching file patchlevel.h
missing header for context diff at line 20 of patch
can't find file to patch at input line 20
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|			     BASH PATCH REPORT
|			     =================
|
|Bash-Release: 3.2
|Patch-ID: bash32-046
|
|Bug-Reported-by:	Wang Xin <[email protected]>
|Bug-Reference-ID:	<[email protected]>
|Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2008-07/msg00014.html
|
|Bug-Description:
|
|Bash did not compute the length of multibyte characters correctly when
|performing array element length references (e.g., ${#var[subscript]}).
|
|Patch:
|
|*** /usr/src/local/bash/bash-3.2-patched/subst.c	2008-04-28 22:00:20.000000000 -0400
|--- subst.c	2008-11-10 22:02:38.000000000 -0500
--------------------------
File to patch:

[Guest]

OK, try "-p0" instead of -p2, although that may (depending on your version of 'patch') result in a bunch of "Ignoring potentially dangerous file name" warnings, which can be ignored. So for bash-3.0:

Code: Select all

for patch in ../ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-???; do
  echo "** Applying patch $patch";
  patch -p0 <$patch;
done

[kgc]

Don't forget to include patches 18 and 19 which came out since this thread started - I'd also watch the patch directory for any additional patches. It is clear that we can expect additional patches to come given all of the eyes (good and evil) on bash now.

[Guest]

Thank you, very much! The switch -p0 did the trick, and I was able to patch and compile bash-3.2. Regarding new patches to include, I downloaded the latest http://ftp.gnu.org/gnu/bash/bash-3.2-patches/ . The latest patch is patch 54 of 28 Sep, so I hope this is the latest? The 'echo' test shows that I am Ok now:

Code: Select all

$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
hello