Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2014-6271 fix for ubuntu bash
---
- hosts: all
user: root
sudo: true
tasks:
- name: update apt
command: apt-get update
- name: update bash
command: apt-get --only-upgrade install bash
- name: check bash fix
command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
register: command_result
failed_when: "'error' not in command_result.stderr"
@jimi-c

This comment has been minimized.

Copy link

commented Sep 24, 2014

And here's a slightly modified version that will work with apt or yum.

  tasks:
    - name: update bash with apt
      apt: name=bash state=latest update_cache=yes
      when: ansible_os_family == 'Debian'

    - name: update bash with yum
      yum: name=bash state=latest
      when: ansible_os_family == 'RedHat'

    - name: check bash fix
      command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
      register: command_result
      failed_when: "'error' not in command_result.stderr"
@rothgar

This comment has been minimized.

Copy link

commented Sep 24, 2014

You also should do

- name: relink libraries
  command: /sbin/ldconfig

Or you could reboot

@aarongolub

This comment has been minimized.

Copy link

commented Sep 24, 2014

I'm on ubuntu 12.04. I tried running "sudo apt-get --only-upgrade install bash" and this was the result:
Building dependency tree
Reading state information... Done
bash is already the newest version.

But then I ran this: " env x='() { :;}; echo vulnerable' bash -c "echo this is a test" " and the result was:
vulnerable
this is a test

What am I missing?

@kacy

This comment has been minimized.

Copy link
Owner Author

commented Sep 24, 2014

@aarongolub -- did you also do apt-get update?

It looks like 12.04 was updated 2 hours ago

@aarongolub

This comment has been minimized.

Copy link

commented Sep 24, 2014

I did, but it's still pulling 4.2-2 - maybe the repo I'm hitting hasn't been updated yet?:
After this operation, 0 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main bash amd64 4.2-2ubuntu2.2 [641 kB]
Fetched 641 kB in 0s (790 kB/s)
(Reading database ... 87088 files and directories currently installed.)
Preparing to replace bash 4.2-2ubuntu2.1 (using .../bash_4.2-2ubuntu2.2_amd64.deb) ...
Unpacking replacement bash ...
Processing triggers for man-db ...
Setting up bash (4.2-2ubuntu2.2) ...
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode.

@whereismyjetpack

This comment has been minimized.

Copy link

commented Sep 25, 2014

Does state=latest clear yum cache? (Docs aren't clear) If not may want to run 'yum clean all' prior to running

@apotek

This comment has been minimized.

Copy link

commented Sep 29, 2014

There's nothing in this playbook that first ensures the security sources are installed in ubuntu 12. Perhaps the lack of those sources is the issue for @aarongolub.

On Debian Squeeze (approximate to Ubuntu 12), I had to do this first. I don't know what the equivalent ubuntu security sources would be, but that would be the first place I would check @aarongolub.

sudo apt-get install debian-keyring debian-archive-keyring
sudo cat>>/etc/apt/sources.list.d/security.sources.list<<'EOF'
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free
EOF
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install debian-security-support
sudo check-support-status
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
foo='() { echo not patched; }' bash -c foo
@jmserra

This comment has been minimized.

Copy link

commented Nov 7, 2014

As for the last task, you could use the shellshocker site script to easily check if all vulnerabilities were resolved by doing:

- name: check vulnerability status fix
  shell: curl https://shellshocker.net/shellshock_test.sh | bash
  register: command_result

- debug: var=command_result.stdout_lines      
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.