2

I read the article A Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) this morning when I came into work. I have updated Bash on most of my systems that I am responsible for, however, I was asked to upgrade Bash on a couple of FreeBSD servers.

How do I check which version of Bash is running on FreeBSD and how do I patch it to get rid of this exploit?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Django Fett
  • 77
  • 2
  • 11
  • You can check using `echo $BASH_VERSION`. I can't supply a patch, but one temporary fix would be to install Korn shell (ksh) and make sh a symbolic link to ksh. Korn shell does not have this bug because it does not support exported functions. – cdarke Sep 25 '14 at 15:56
  • Questions about installing software are not questions about programming. – Charles Duffy Sep 25 '14 at 20:00
  • Maybe it could be migrated — with answers? — to the Unix/Linux or to the Server SE site? – Michaël Le Barbier Sep 25 '14 at 20:21
  • 1
    @MichaelGrünewald it was a user [on that site](http://unix.stackexchange.com/users/22565/st%C3%A9phane-chazelas) that [discovered the vulnerability](http://seclists.org/oss-sec/2014/q3/649) don't you think we already have like metrics crap tons of duplicates? – Braiam Sep 26 '14 at 03:07
  • @Braiam I was not aware of this, migrating is probably useless then. – Michaël Le Barbier Sep 26 '14 at 05:29
  • I have no problem doing what is necessary to keep the question in line with the post, however, I am unsure of what I should do with this post. – Django Fett Sep 26 '14 at 11:48
  • I would like to qualify my comment about Korn shell yesterday. It turns out that Sun's XPG4 compliant Korn shell has the vulnerability as well. Unlike regular ksh, the XPG4 version supports function exporting, as bash. – cdarke Sep 27 '14 at 08:01

2 Answers2

8

You can verify the installed version of bash with

pkg info bash

The patched version of bash is already in the ports tree, you can therefore upgrade it like any application.

Once bash has been rebuilt by the package build farm, you can upgrade bash as you would upgrade any package, with

pkg upgrade bash

If you are not familiar with pkg you should read the appropriate chapter in the Handbook.

Important note. At the time of writing it seems that the package is not yet available, so here is the manual procedure to build your own package from sources:

1. Be sure to upgrade your ports tree before trying to upgrade.

2. Move your shell to the ports directory and build

cd /usr/ports/shell/bash
make BATCH=yes build

3. Replace the old batch with

make BATCH=yes deinstall
make BATCH=yes reinstall
Michaël Le Barbier
  • 6,103
  • 5
  • 28
  • 57
0

From this Ask Ubuntu answer, a command to check this is:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If you get vulnerable, it's still vulnerable.

This should work with Bash on any system to test the vulnerability, AFAIK. I've tested on SUSE and Red Hat Linux, but they're not BSDs. To check the version, it should be similar to other systems:

$ echo $BASH_VERSION
4.3.11(1)-release
$ bash --version
GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

See the FreeBSD forums for more information on downloading/installing the patch. From that link:

Everything before 4.3.25 is vulnerable, 4.3.25 should contain the fix.

Community
  • 1
  • 1
zerodiff
  • 1,690
  • 1
  • 18
  • 23