/build-bash-lenny.sh Secret
Last active
April 24, 2020 12:26
-
-
Save href/54859127c183f67f947f to your computer and use it in GitHub Desktop.
Compile bash 3.2 from source for Debian Lenny to patch both CVE-2014-6271 and CVE-2014-7169
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# inspired by http://askubuntu.com/a/528171 | |
# prerequisites | |
sudo apt-get install bison | |
# get the gpg keyring for verification | |
wget -nv https://ftp.gnu.org/gnu/gnu-keyring.gpg | |
# verify and build bash 3.2 | |
wget https://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz | |
wget https://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz.sig | |
if ! gpg --verify --keyring ./gnu-keyring.gpg bash-3.2.tar.gz.sig; then | |
echo "bash-3.2.tar.gz has a bad signature!" | |
exit 1 | |
fi | |
tar zxvf bash-3.2.tar.gz | |
cd bash-3.2 | |
# 053 is not out on ftp.gnu.org yet, so we get the attachment from Chet's | |
# mail on oss security: http://seclists.org/oss-sec/2014/q3/734 | |
wget -nv http://seclists.org/oss-sec/2014/q3/att-734/bash32-053.bin | |
# the hash is my own, feel free to not trust it | |
expected='470282a1667d6018ab9aeb73a133e103fafb92d7cd2705cd3cc3991b9900c8c1' | |
if ! sha256sum bash32-053.bin | grep -q $expected; then | |
echo "patch bash32-053 has an incorrect hash sum" | |
exit 1 | |
fi | |
# download and apply all patches, including the latest one that patches CVE-2014-6271 | |
for i in $(seq -f "%03g" 1 52); do | |
wget -nv https://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i | |
wget -nv https://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i.sig | |
if gpg --verify --keyring ../gnu-keyring.gpg bash32-$i.sig; then | |
patch -p0 < bash32-$i | |
else | |
echo "patch bash32-${i} has a bad signature!" | |
exit 1 | |
fi | |
done | |
# apply patch for CVE-2014-7169 | |
patch -p0 < bash32-053.bin | |
# compile and install to /usr/local/bin/bash | |
./configure && make | |
sudo make install | |
# point /bin/bash to the new binary | |
sudo mv /bin/bash /bin/bash.old | |
sudo ln -s /usr/local/bin/bash /bin/bash | |
# test CVE-2014-6271 | |
env x='() { :;}; echo vulnerable' bash -c echo | |
# and CVE-2014-7169 | |
env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :(" |
Anybody know when the 53 patch for bash will be in ftp.gnu.org ?
Hey guys, I also included the patch for the new discovered oob-bug, see http://seclists.org/oss-sec/2014/q3/712 and combined both "temporary" patches. Feel free to use it: https://gist.github.com/ChrisRuss/f2eb63686540ed9b00f6
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Updated the script to include CVE-2014-7169. The patch for it is not yet on gnu.org, so it's taken from the attachment in Chet's mail: http://seclists.org/oss-sec/2014/q3/734