/build-bash-lenny.sh Secret
-
-
Save href/54859127c183f67f947f to your computer and use it in GitHub Desktop.
| # inspired by http://askubuntu.com/a/528171 | |
| # prerequisites | |
| sudo apt-get install bison | |
| # get the gpg keyring for verification | |
| wget -nv https://ftp.gnu.org/gnu/gnu-keyring.gpg | |
| # verify and build bash 3.2 | |
| wget https://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz | |
| wget https://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz.sig | |
| if ! gpg --verify --keyring ./gnu-keyring.gpg bash-3.2.tar.gz.sig; then | |
| echo "bash-3.2.tar.gz has a bad signature!" | |
| exit 1 | |
| fi | |
| tar zxvf bash-3.2.tar.gz | |
| cd bash-3.2 | |
| # 053 is not out on ftp.gnu.org yet, so we get the attachment from Chet's | |
| # mail on oss security: http://seclists.org/oss-sec/2014/q3/734 | |
| wget -nv http://seclists.org/oss-sec/2014/q3/att-734/bash32-053.bin | |
| # the hash is my own, feel free to not trust it | |
| expected='470282a1667d6018ab9aeb73a133e103fafb92d7cd2705cd3cc3991b9900c8c1' | |
| if ! sha256sum bash32-053.bin | grep -q $expected; then | |
| echo "patch bash32-053 has an incorrect hash sum" | |
| exit 1 | |
| fi | |
| # download and apply all patches, including the latest one that patches CVE-2014-6271 | |
| for i in $(seq -f "%03g" 1 52); do | |
| wget -nv https://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i | |
| wget -nv https://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i.sig | |
| if gpg --verify --keyring ../gnu-keyring.gpg bash32-$i.sig; then | |
| patch -p0 < bash32-$i | |
| else | |
| echo "patch bash32-${i} has a bad signature!" | |
| exit 1 | |
| fi | |
| done | |
| # apply patch for CVE-2014-7169 | |
| patch -p0 < bash32-053.bin | |
| # compile and install to /usr/local/bin/bash | |
| ./configure && make | |
| sudo make install | |
| # point /bin/bash to the new binary | |
| sudo mv /bin/bash /bin/bash.old | |
| sudo ln -s /usr/local/bin/bash /bin/bash | |
| # test CVE-2014-6271 | |
| env x='() { :;}; echo vulnerable' bash -c echo | |
| # and CVE-2014-7169 | |
| env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :(" |
Fixed, thanks!
👍
Great, very thankful for that patch...
Will the same script work when patch for CVE-2014-7169 will be released? (I guess so, it'll remain bash-3.2 and the needed patches?)
Thank you.
This patch will work for CVE-2014-7169 only if the '52' on line 16 is incremented to 53 (or whatever the highest number in this list will be: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/)
Updated the script to include CVE-2014-7169. The patch for it is not yet on gnu.org, so it's taken from the attachment in Chet's mail: http://seclists.org/oss-sec/2014/q3/734
Anybody know when the 53 patch for bash will be in ftp.gnu.org ?
Hey guys, I also included the patch for the new discovered oob-bug, see http://seclists.org/oss-sec/2014/q3/712 and combined both "temporary" patches. Feel free to use it: https://gist.github.com/ChrisRuss/f2eb63686540ed9b00f6
Line 18 and 19 should be with
https: