Last active
November 24, 2020 12:29
-
-
Save stevejenkins/3ddd3a0ac240b1dd66ea to your computer and use it in GitHub Desktop.
A shell script that fully automates the "manual" patching of GNU Bash, using source and all known official patches. Contributed by Mike Marino, based on Steve Jenkins' manual Bash patching procedure at http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#/bin/bash | |
# bash-autopatch.sh | |
# A shell script that fully automates the "manual" patching of GNU Bash, using source and all known official patches. | |
# Contributed by Mike Marino, based on Steve Jenkins' manual Bash patching and compiling procedure at: | |
# http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/ | |
# This script is a "continuation" of Steve Cook's bash-multipath.sh at: https://gist.github.com/stevejenkins/3d64d3543060c1bcac92 | |
# Version 1.0 - October 10, 2014 | |
# Variables | |
dirBashfix="/usr/local/src/bashfix" | |
# Lets make sure we have sudo | |
sudo -v | |
# Auto-detect bash version | |
echo -n "Detecting Bash Version: " | |
fullversion=`bash --version | head -n1 | sed 's/^.* \([0-9]\{1,\}\.[0-9]\{1,\}\.[0-9]*\).*$/\1/g'` | |
version=`echo ${fullversion} | awk -F. '{print $1"."$2}' | sed 's/^\([0-9]\{1\}\.[0-9]\{1\}\).*$/\1/g'` | |
curpatch=`echo ${fullversion} | awk -F. '{print $3}'` | |
no_dot_version=`echo ${version} | sed 's/\.//g'` | |
echo ${fullversion} | |
# Auto-detect last patch number | |
echo -n "Grabbing Latest Patch for bash-${version}: " | |
lastpatch=`curl --silent --insecure https://ftp.gnu.org/pub/gnu/bash/bash-${version}-patches/ | grep bash${no_dot_version}-[0-9]*.sig | tail -n1 | sed "s/^.*\"bash${no_dot_version}-\([0-9]*\).sig\".*/\1/g"` | |
echo ${lastpatch} | |
# If the patch versions are the same do not update | |
if [[ `echo ${lastpatch} | sed 's/^[0]*//g'` -eq ${curpatch} ]]; then | |
echo -e "No Bash Update:\n\tCurrent Version: ${fullversion}\n\tLatest Patch: ${lastpatch}" | |
exit 1 | |
fi | |
# Setup: backup bash | |
echo -en "Setup: Backing up bash\r" | |
sudo cp /bin/bash /bin/bash.old | |
# Setup: create directories | |
echo -en "Setup: Creating directories\r" | |
sudo mkdir -p ${dirBashfix} | |
cd ${dirBashfix} | |
# Setup: install required packages | |
echo -en "Setup: YUM Installing packages...\r" | |
sudo yum -q -y install patch byacc textinfo bison autoconf gettext ncurses-devel gcc test make | |
# Setup: download bash version, extract, then hop in | |
echo "Setup: Downloading bash-${version} source and extracting" | |
sudo wget --no-check-certificate https://ftp.gnu.org/pub/gnu/bash/bash-${version}.tar.gz && | |
sudo tar zxvf bash-${version}.tar.gz | |
cd bash-${version} | |
# Now cycle through and build it | |
echo "Processing: Patching patch source" | |
for i in `seq 1 $lastpatch`; do | |
number=$(printf %03d $i) | |
file="https://ftp.gnu.org/pub/gnu/bash/bash-${version}-patches/bash${no_dot_version}-${number}" | |
echo ${file} | |
curl ${file} --insecure | sudo patch -N -p0 | |
done | |
# Lets build it | |
echo "Processing: Building bash from patched source then testing" | |
sudo ./configure && | |
sudo make && | |
sudo make test && | |
# Copy to /bin/bash and display info | |
echo "Copying: Bash to /bin/bash" | |
sudo cp -f bash /bin/bash | |
ls -lh /bin/bash | |
echo "Complete!" | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We can also reduce the size of the bash binary. Did it forking your gist:
https://gist.github.com/kipit/ff76aec790bf3e6b01a2