Skip to content

Instantly share code, notes, and snippets.

@stevejenkins
Last active November 24, 2020 12:29
Show Gist options
  • Save stevejenkins/3ddd3a0ac240b1dd66ea to your computer and use it in GitHub Desktop.
Save stevejenkins/3ddd3a0ac240b1dd66ea to your computer and use it in GitHub Desktop.
A shell script that fully automates the "manual" patching of GNU Bash, using source and all known official patches. Contributed by Mike Marino, based on Steve Jenkins' manual Bash patching procedure at http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/
#/bin/bash
# bash-autopatch.sh
# A shell script that fully automates the "manual" patching of GNU Bash, using source and all known official patches.
# Contributed by Mike Marino, based on Steve Jenkins' manual Bash patching and compiling procedure at:
# http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/
# This script is a "continuation" of Steve Cook's bash-multipath.sh at: https://gist.github.com/stevejenkins/3d64d3543060c1bcac92
# Version 1.0 - October 10, 2014
# Variables
dirBashfix="/usr/local/src/bashfix"
# Lets make sure we have sudo
sudo -v
# Auto-detect bash version
echo -n "Detecting Bash Version: "
fullversion=`bash --version | head -n1 | sed 's/^.* \([0-9]\{1,\}\.[0-9]\{1,\}\.[0-9]*\).*$/\1/g'`
version=`echo ${fullversion} | awk -F. '{print $1"."$2}' | sed 's/^\([0-9]\{1\}\.[0-9]\{1\}\).*$/\1/g'`
curpatch=`echo ${fullversion} | awk -F. '{print $3}'`
no_dot_version=`echo ${version} | sed 's/\.//g'`
echo ${fullversion}
# Auto-detect last patch number
echo -n "Grabbing Latest Patch for bash-${version}: "
lastpatch=`curl --silent --insecure https://ftp.gnu.org/pub/gnu/bash/bash-${version}-patches/ | grep bash${no_dot_version}-[0-9]*.sig | tail -n1 | sed "s/^.*\"bash${no_dot_version}-\([0-9]*\).sig\".*/\1/g"`
echo ${lastpatch}
# If the patch versions are the same do not update
if [[ `echo ${lastpatch} | sed 's/^[0]*//g'` -eq ${curpatch} ]]; then
echo -e "No Bash Update:\n\tCurrent Version: ${fullversion}\n\tLatest Patch: ${lastpatch}"
exit 1
fi
# Setup: backup bash
echo -en "Setup: Backing up bash\r"
sudo cp /bin/bash /bin/bash.old
# Setup: create directories
echo -en "Setup: Creating directories\r"
sudo mkdir -p ${dirBashfix}
cd ${dirBashfix}
# Setup: install required packages
echo -en "Setup: YUM Installing packages...\r"
sudo yum -q -y install patch byacc textinfo bison autoconf gettext ncurses-devel gcc test make
# Setup: download bash version, extract, then hop in
echo "Setup: Downloading bash-${version} source and extracting"
sudo wget --no-check-certificate https://ftp.gnu.org/pub/gnu/bash/bash-${version}.tar.gz &&
sudo tar zxvf bash-${version}.tar.gz
cd bash-${version}
# Now cycle through and build it
echo "Processing: Patching patch source"
for i in `seq 1 $lastpatch`; do
number=$(printf %03d $i)
file="https://ftp.gnu.org/pub/gnu/bash/bash-${version}-patches/bash${no_dot_version}-${number}"
echo ${file}
curl ${file} --insecure | sudo patch -N -p0
done
# Lets build it
echo "Processing: Building bash from patched source then testing"
sudo ./configure &&
sudo make &&
sudo make test &&
# Copy to /bin/bash and display info
echo "Copying: Bash to /bin/bash"
sudo cp -f bash /bin/bash
ls -lh /bin/bash
echo "Complete!"
exit 0
@kipit
Copy link

kipit commented Nov 3, 2014

We can also reduce the size of the bash binary. Did it forking your gist:
https://gist.github.com/kipit/ff76aec790bf3e6b01a2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment