/build-bash-lenny.sh Secret
-
-
Save href/54859127c183f67f947f to your computer and use it in GitHub Desktop.
# inspired by http://askubuntu.com/a/528171 | |
# prerequisites | |
sudo apt-get install bison | |
# get the gpg keyring for verification | |
wget -nv https://ftp.gnu.org/gnu/gnu-keyring.gpg | |
# verify and build bash 3.2 | |
wget https://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz | |
wget https://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz.sig | |
if ! gpg --verify --keyring ./gnu-keyring.gpg bash-3.2.tar.gz.sig; then | |
echo "bash-3.2.tar.gz has a bad signature!" | |
exit 1 | |
fi | |
tar zxvf bash-3.2.tar.gz | |
cd bash-3.2 | |
# 053 is not out on ftp.gnu.org yet, so we get the attachment from Chet's | |
# mail on oss security: http://seclists.org/oss-sec/2014/q3/734 | |
wget -nv http://seclists.org/oss-sec/2014/q3/att-734/bash32-053.bin | |
# the hash is my own, feel free to not trust it | |
expected='470282a1667d6018ab9aeb73a133e103fafb92d7cd2705cd3cc3991b9900c8c1' | |
if ! sha256sum bash32-053.bin | grep -q $expected; then | |
echo "patch bash32-053 has an incorrect hash sum" | |
exit 1 | |
fi | |
# download and apply all patches, including the latest one that patches CVE-2014-6271 | |
for i in $(seq -f "%03g" 1 52); do | |
wget -nv https://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i | |
wget -nv https://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i.sig | |
if gpg --verify --keyring ../gnu-keyring.gpg bash32-$i.sig; then | |
patch -p0 < bash32-$i | |
else | |
echo "patch bash32-${i} has a bad signature!" | |
exit 1 | |
fi | |
done | |
# apply patch for CVE-2014-7169 | |
patch -p0 < bash32-053.bin | |
# compile and install to /usr/local/bin/bash | |
./configure && make | |
sudo make install | |
# point /bin/bash to the new binary | |
sudo mv /bin/bash /bin/bash.old | |
sudo ln -s /usr/local/bin/bash /bin/bash | |
# test CVE-2014-6271 | |
env x='() { :;}; echo vulnerable' bash -c echo | |
# and CVE-2014-7169 | |
env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :(" |
Great, very thankful for that patch...
Will the same script work when patch for CVE-2014-7169 will be released? (I guess so, it'll remain bash-3.2 and the needed patches?)
Thank you.
This patch will work for CVE-2014-7169 only if the '52' on line 16 is incremented to 53 (or whatever the highest number in this list will be: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/)
Updated the script to include CVE-2014-7169. The patch for it is not yet on gnu.org, so it's taken from the attachment in Chet's mail: http://seclists.org/oss-sec/2014/q3/734
Anybody know when the 53 patch for bash will be in ftp.gnu.org ?
Hey guys, I also included the patch for the new discovered oob-bug, see http://seclists.org/oss-sec/2014/q3/712 and combined both "temporary" patches. Feel free to use it: https://gist.github.com/ChrisRuss/f2eb63686540ed9b00f6
👍