1

I am running a non-standard version of Ubuntu and I tried to patch the shell shock bug by downloading and recompiling from the source, following the instructions from https://news.ycombinator.com/item?id=8364385 . After make install, running bash --version shows 4.3.24(2). But when running the bug test:

env var='() { :;}; echo vulnerable' bash -c /bin/true

is still printing vulnerable . Am I doing something wrong?

JRR
  • 6,014
  • 6
  • 39
  • 59
  • Without knowing *exactly* what you did, how can we tell? We don't know exactly which source tree you downloaded, we don't know which `configure` arguments you passed. How are we supposed to tell what's wrong without any information? – Charles Duffy Sep 25 '14 at 19:28
  • That said -- chances are good that your default packaging installed into `/bin` or `/usr/bin` and your manual build installed somewhere else -- `/usr/local/bin`, perhaps; distro packages almost universally override autoconf's default out-of-the-box install locations. Look at the source to your distro's packages and see how they do their build... or do this the Right Way and build your own package instead of making a mess of your system by doing manual installs on top. – Charles Duffy Sep 25 '14 at 19:29

2 Answers2

1

4.3.24 is from August 2014; you need 4.3.25.

chepner
  • 497,756
  • 71
  • 530
  • 681
0

It's most likely that you didn't install the new bash in the right place. Or that you didn't manage to install it at all.

make install will only work if you're running as root. Normally, you would need to do

sudo make install

If you don't, you'll see an error message:

$ make install

          ***********************************************************
          *                                                         *
          * GNU bash, version 4.3.25(1)-release (x86_64-unknown-linux-gnu)
          *                                                         *
          ***********************************************************

mkdir -p -- /usr/local/share/doc/bash
mkdir: cannot create directory ‘/usr/local/share/doc/bash’: Permission denied
make: *** [installdirs] Error 1

which means that the software wasn't installed. (You only need to redo the install step.)

Also, by default, the bash build files will install your new bash as /usr/local/bin/bash, while your old bash will continue to exist in /usr/bin/bash. Check which bash is being run by typing:

which bash
rici
  • 234,347
  • 28
  • 237
  • 341