What is a recommended way to patch the Shellshock Bash bug on an unsupported Ubuntu server?

ubuntu debian bash upgrade

12,432

Solution 1

This write up was helpful and worked for the few instances of Ubuntu 12.10 (Quantal) I still have to support.

Fix Bash Exploit On New and Old Releases of Ubuntu

In Summary, the steps are:

Get the codename of your current release (e.g. quantal) and store it in a variable:
```
lsb_release -a
DISTRIB_CODENAME=quantal
```

Change source to trusty in /etc/apt/sources.list. For example,

sudo sed -i "s/$DISTRIB_CODENAME/trusty/g" /etc/apt/sources.list

Update and upgrade bash

sudo apt-get update

sudo apt-get install --only-upgrade bash

Verify latest version fails the following test (i.e. you should not see "busted")
```
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
```

Revert /etc/apt/sources.list to use current codename. For example,

sudo sed -i "s/trusty/$DISTRIB_CODENAME/g" /etc/apt/sources.list

Solution 2

https://shellshocker.net/#fix has some good tools for manually updating bash.

curl https://shellshocker.net/fixbash | sh

You can also test if your system is vulnerable:

curl https://shellshocker.net/shellshock_test.sh | bash

Run it at your own risk. Here's the script it runs if the above link expires or you don't want to trust it:

cd ~/
mkdir bash-shellshocker
cd bash-shellshocker
echo "Downloading Bash..."
wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
echo "Downloading Bash patches..."
i=0
rtn=0
while [ $rtn -eq 0 ]; do
  i=`expr $i + 1`
  wget https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf '%03g' $i)
  rtn=$?
done
i=`expr $i - 1`
echo "Extracting bash from tar.gz..."
tar zxvf bash-4.3.tar.gz 
cd bash-4.3
echo "Applying Patches..."
for j in $(seq -f "%03g" 1 $i);do patch -p0 < ../bash43-$j; done

echo "Ready to install. Configuring..."
./configure --prefix=/
echo "Running make"
make
if [[ "$USER" == "root" ]]
then
  echo "Running make install"
  make install
  cp /bin/bash /usr/local/bin/bash
else
  echo "Running make install  (You may need to type your sudo password here)"
  sudo make install
  sudo cp /bin/bash /usr/local/bin/bash 
fi

https://github.com/wreiske/shellshocker/blob/master/fixbash is where the script can be found

good luck

Solution 3

As you should only install this kind of security update from a recognized provider, the solution of compiling from sources is the only one you have.

Solution 4

The answer from lumpygator helped me, but I think it's too complicated. If you want to install only one package from a newer ubuntu release there is no need to edit sources.list, you can just directly download the package and install it. So in case of the bash shellshock bug go to http://packages.ubuntu.com/trusty/amd64/bash/download, click on the "* security.ubuntu.com/ubuntu" link, this will download the file bash_4.3-7ubuntu1.5_amd64.deb. Alternatively you can run the command:

wget http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.3-7ubuntu1.5_amd64.deb

After you got the new package you can install it directly with:

dpkg -i bash_4.3-7ubuntu1.5_amd64.deb

This worked for me on Saucy (13.10).

(Replace amd64 with i386 if you have a 32bit system.)

Solution 5

Yes, the script provided by shellshocker.net is working.

But for Ubuntu 11.04 (Natty Narwhal), 11.10 (Oneiric Ocelot), 12.04 LTS (Precise Pangolin), 12.10 (Quantal Quetzal), 13.04 (Raring Ringtail), and 13.10 (Saucy Salamander) at least, the version of the Bash package is 4.2, so the script needs a few changes:

cd ~/
mkdir bash
cd bash
wget https://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz
for i in $(seq -f "%03g" 0 49); do wget https://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-$i; done
tar zxvf bash-4.2.tar.gz 
cd bash-4.2
for i in $(seq -f "%03g" 0 49); do patch -p0 < ../bash42-$i; done
./configure && make
sudo make install

And you have to install Bison for the "make" command to work:

sudo apt-get install bison

View more solutions

12,432

smonff

Updated on September 18, 2022

Comments

smonff over 1 year

I maintain an out-of-support Ubuntu 12.10 (Quantal Quetzal) server (don't ask me why, please), and we need to patch the Shellshock Bash security bug. As upgrades are not available anymore, what is the recommended way to patch Bash?

I found this answer (it recommends retrieving packages from Debian and to not install binaries packages, but install packages from source). That seems OK to me, but what is some other advice?
- Michael Hampton over 9 years
  
  Change to a supported LTS release.
- Stefan Lasiewski over 9 years
  
  Keep in mind that 12.10 has plenty of other security vulnerabilities beside Shellshock.
- smonff over 8 years
  
  @MichaelHampton This server has been destroyed, thanx.
ceejayoz over 9 years

The idea of fixing a bash vulnerability by using a website URL piped into bash is kinda scary (even if they do appear to be legit).
Craig over 9 years

@ceejayoz - I did check the script by downloading it first before running it. Of course that doesn't guarantee you'll get the same script every time you run it, so run this at your own risk. The best way is to download it and check it first and then run it locally.
smonff over 9 years

This website don't recommend to do so: you should always use your package manager if possible. There is (unfortunately) some cases where it is not possible, I admit it is terrific. They provide a solution for people with a specific problem, I hope most of the people know that it's not a good practice.
gymbrall over 9 years

FYI - the provided GNU patches at the time of this comment do not resolve all of the shellshock exploits. See this article for how to test your bash installation: access.redhat.com/articles/1200223
Madura Anushanga over 9 years

The above proposed download and compile method does not install bash to the correct place, it installs it at /usr/local/bin the system uses /bin/bash. So make sure to symlink it when you are done installing. I'd not recommend using ./configure --prefix=/ that will cause other dirs like share to be made on root
smonff over 9 years

I noticed this difference. Why shouldn't we use 4.3 on these Ubuntu versions ? Can it break core system elements or other bad stuff?
smonff over 9 years

Very nice answer, I were searching for something like this
CMCDragonkai over 9 years

Awesome, this worked for 13.10, read the link!
ethree over 9 years

It also installs in the correct place. Want to contribute? Check it out on GitHub and send in a pull request. github.com/wreiske/shellshocker/blob/master/fixbash
Ame Nomade over 9 years

in general, if you administer some online servers, then you shouldn't upgrade because a new version is here. You should ask yourself: 1°) what's inside this new version 2°) do I need it? ; Otherwise, just keep stuff as is. This is my advise. And stick to LTS versions
Arunabh Das over 9 years

Excellent answer!!
smonff over 9 years

Note for Bash users : you need to use double quotes to interpolate the variables sed -i "s/trusty/$DISTRIB_CODENAME/g" /etc/apt/sources.list