6

I maintain an out-of-support Ubuntu 12.10 (Quantal Quetzal) server (don't ask me why, please), and we need to patch the Shellshock Bash security bug. As upgrades are not available anymore, what is the recommended way to patch Bash?

I found this answer (it recommends retrieving packages from Debian and to not install binaries packages, but install packages from source). That seems OK to me, but what is some other advice?

Community
  • 1
smonff
  • 346
  • 2
  • 5
  • 15

6 Answers6

13

This write up was helpful and worked for the few instances of Ubuntu 12.10 (Quantal) I still have to support.

Fix Bash Exploit On New and Old Releases of Ubuntu

In Summary, the steps are:

  1. Get the codename of your current release (e.g. quantal) and store it in a variable:

    lsb_release -a
DISTRIB_CODENAME=quantal

  2. Change source to trusty in /etc/apt/sources.list. For example,

    sudo sed -i "s/$DISTRIB_CODENAME/trusty/g" /etc/apt/sources.list

  3. Update and upgrade bash

    sudo apt-get update

sudo apt-get install --only-upgrade bash

  4. Verify latest version fails the following test (i.e. you should not see "busted")

    env X="() { :;} ; echo busted" `which bash` -c "echo completed"

  5. Revert /etc/apt/sources.list to use current codename. For example,

    sudo sed -i "s/trusty/$DISTRIB_CODENAME/g" /etc/apt/sources.list
janos
  • 808
  • 1
  • 6
  • 22
lumpygator
  • 146
  • 4
8

https://shellshocker.net/#fix has some good tools for manually updating bash. 

curl https://shellshocker.net/fixbash | sh

You can also test if your system is vulnerable:

curl https://shellshocker.net/shellshock_test.sh | bash

Run it at your own risk. Here's the script it runs if the above link expires or you don't want to trust it: 

cd ~/
mkdir bash-shellshocker
cd bash-shellshocker
echo "Downloading Bash..."
wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
echo "Downloading Bash patches..."
i=0
rtn=0
while [ $rtn -eq 0 ]; do
  i=`expr $i + 1`
  wget https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf '%03g' $i)
  rtn=$?
done
i=`expr $i - 1`
echo "Extracting bash from tar.gz..."
tar zxvf bash-4.3.tar.gz 
cd bash-4.3
echo "Applying Patches..."
for j in $(seq -f "%03g" 1 $i);do patch -p0 < ../bash43-$j; done

echo "Ready to install. Configuring..."
./configure --prefix=/
echo "Running make"
make
if [[ "$USER" == "root" ]]
then
  echo "Running make install"
  make install
  cp /bin/bash /usr/local/bin/bash
else
  echo "Running make install  (You may need to type your sudo password here)"
  sudo make install
  sudo cp /bin/bash /usr/local/bin/bash 
fi

https://github.com/wreiske/shellshocker/blob/master/fixbash is where the script can be found

good luck

Craig
  • 289
  • 2
  • 7
  • 13
    The idea of fixing a bash vulnerability by using a website URL piped into bash is kinda scary (even if they do appear to be legit). – ceejayoz Sep 25 '14 at 20:16
  • 2
    @ceejayoz - I did check the script by downloading it first before running it. Of course that doesn't guarantee you'll get the same script every time you run it, so run this at your own risk. The best way is to download it and check it first and then run it locally. – Craig Sep 25 '14 at 22:16
  • This website don't recommend to do so: you should always use your package manager if possible. There is (unfortunately) some cases where it is not possible, I admit it is terrific. They provide a solution for people with a specific problem, I hope most of the people know that it's not a good practice. – smonff Sep 26 '14 at 11:50
  • FYI - the provided GNU patches at the time of this comment do not resolve all of the shellshock exploits. See this article for how to test your bash installation: https://access.redhat.com/articles/1200223 – gymbrall Sep 26 '14 at 18:20
  • The above proposed download and compile method does not install bash to the correct place, it installs it at /usr/local/bin the system uses /bin/bash. So make sure to symlink it when you are done installing. I'd not recommend using ./configure --prefix=/ that will cause other dirs like share to be made on root – Madura Anushanga Sep 27 '14 at 07:20
  • It also installs in the correct place. Want to contribute? Check it out on GitHub and send in a pull request. https://github.com/wreiske/shellshocker/blob/master/fixbash – ethree Sep 30 '14 at 21:09
5

As you should only install this kind of security update from a recognized provider, the solution of compiling from sources is the only one you have.

Pierre-Yves Gillier
  • 726
  • 6
  • 15
2

Yes, the script provided by shellshocker.net is working.

But for Ubuntu 11.04 (Natty Narwhal), 11.10 (Oneiric Ocelot), 12.04 LTS (Precise Pangolin), 12.10 (Quantal Quetzal), 13.04 (Raring Ringtail), and 13.10 (Saucy Salamander) at least, the version of the Bash package is 4.2, so the script needs a few changes:

cd ~/
mkdir bash
cd bash
wget https://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz
for i in $(seq -f "%03g" 0 49); do wget https://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-$i; done
tar zxvf bash-4.2.tar.gz 
cd bash-4.2
for i in $(seq -f "%03g" 0 49); do patch -p0 < ../bash42-$i; done
./configure && make
sudo make install

And you have to install Bison for the "make" command to work:

sudo apt-get install bison
Peter Mortensen
  • 2,318
  • 5
  • 23
  • 24
Ame Nomade
  • 121
  • 1
  • I noticed this difference. Why shouldn't we use 4.3 on these Ubuntu versions ? Can it break core system elements or other bad stuff? – smonff Sep 27 '14 at 13:42
  • 1
    I have an old 8.04 system that was using a 3.* version of bash and updated it to 4.3 using the shellshocker.net script and everything is working just fine – Craig Sep 29 '14 at 18:51
  • in general, if you administer some online servers, then you shouldn't upgrade because a new version is here. You should ask yourself: 1°) what's inside this new version 2°) do I need it? ; Otherwise, just keep stuff as is. This is my advise. And stick to LTS versions – Ame Nomade Oct 08 '14 at 09:27
2

The answer from lumpygator helped me, but I think it's too complicated. If you want to install only one package from a newer ubuntu release there is no need to edit sources.list, you can just directly download the package and install it. So in case of the bash shellshock bug go to http://packages.ubuntu.com/trusty/amd64/bash/download, click on the "* security.ubuntu.com/ubuntu" link, this will download the file bash_4.3-7ubuntu1.5_amd64.deb. Alternatively you can run the command:

wget http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.3-7ubuntu1.5_amd64.deb

After you got the new package you can install it directly with:

dpkg -i bash_4.3-7ubuntu1.5_amd64.deb

This worked for me on Saucy (13.10).

(Replace amd64 with i386 if you have a 32bit system.)

Paul Tobias
  • 740
  • 1
  • 8
  • 11
0

There is another approach you could consider.

On your out of date Quantal server are you actually using bash?

If you do not need bash then if you have not already replaced /bin/sh link to /bin/bash with a link to /bin/dash, install dash and use that as a Bourne shell replacement.

This illustrates why it is a good idea for portability to not use "bashisms" in shell scripts so that the simpler, less overhead, and more secure dash shell can be used.

J G Miller
  • 117
  • 2