Compile Bash 3.2 from source for Debian Lenny to patch the shellshock vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, CVE-2014-7187)

build-bash-lenny.sh

# inspired by http://askubuntu.com/a/528171 and the comments below

# build bash 3.2, though this should work for other versions as well
BASH_MAJOR=3
BASH_MINOR=2

# prerequisites
sudo apt-get install build-essential gettext bison

# get bash source
mkdir src && cd src
wget https://ftp.gnu.org/gnu/bash/bash-$BASH_MAJOR.$BASH_MINOR.tar.gz
tar zxvf bash-$BASH_MAJOR.$BASH_MINOR.tar.gz
cd bash-$BASH_MAJOR.$BASH_MINOR

# download, verify, and apply all available patches, which as of 2014-10-02 
# include patches for CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278
# CVE-2014-7186, and CVE-2014-7187.
wget -nv -r 1 -nH -nd -np https://ftp.gnu.org/gnu/bash/bash-$BASH_MAJOR.$BASH_MINOR-patches/
wget -nv https://ftp.gnu.org/gnu/gnu-keyring.gpg
for i in bash$BASH_MAJOR$BASH_MINOR-???; do 
  if gpg --verify --keyring ./gnu-keyring.gpg $i.sig; then
    if ! patch -p0 < $i; then
      echo "patch $i failed"
      exit 1
    fi
  else
    echo "patch $i has a bad signature"
    exit 2
  fi
done

# compile and install to /usr/local/bin/bash
./configure && make
sudo make install

# point /bin/bash to the new binary
if /usr/local/bin/bash -c 'true'; then
  if [ ! -f /bin/bash.old ]; then
    sudo mv /bin/bash /bin/bash.old
    sudo ln -s /usr/local/bin/bash /bin/bash
  fi
else
  echo "bash not installed correctly!"
  exit 3
fi

# test each of the exploits on the old version of bash
echo "OLD BASH:"
env x='() { :;}; echo VULNERABLE to CVE-2014-6271' /bin/bash.old -c echo
env x='() { (a)=>\' /bin/bash.old -c "echo echo TEST" 2>/dev/null; cat echo 2>/dev/null; rm -f ./echo; echo "If you see 'echo TEST' above you are ok, if you just see 'TEST' you are VULNERABLE to CVE-2014-7169"
/bin/bash.old -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "VULNERABLE to CVE-2014-7186"
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | /bin/bash.old || echo "VULNERABLE to CVE-2014-7187"

# test each of the exploits on the new version of bash
echo "NEW BASH:"
env x='() { :;}; echo Vulnerable to CVE-2014-6271' bash -c echo
env x='() { (a)=>\' bash -c "echo echo TEST" 2>/dev/null; cat echo 2>/dev/null; rm -f ./echo; echo "If you see 'echo TEST' above you are ok, if you just see 'TEST' you are VULNERABLE to CVE-2014-7169"
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "VULNERABLE to CVE-2014-7186"
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "VULNERABLE to CVE-2014-7187"

echo "NOTE: CVE-2014-6277 and CVE-2014-6278 should be mitigated by these patches as well, but there is not yet a test for them."

@Archetrix, yes, I wanted to build in /usr/local/bin since this was a locally-compiled version of bash and not the one from the package.

@piccaso, no problem. i like keeping bash.old around in order to compare results of any new exploits found between the original and patched version.

@section1, previously the last two tests failed because bash 3.2 was not yet patched against them. however, a new patch was released on Oct 1, so you'll need to recompile bash. I can verify that the latest patch fixes the last two vulnerabilities.

Another …. tweak:

build bash 3.2, though this should work for other versions as well

BASH_VER=bash --version | grep 'version' | awk '{print $4};'
BASH_MAJOR=$(echo $BASH_VER | cut -d '.' -f1)
BASH_MINOR=$(echo $BASH_VER | cut -d '.' -f2)

Hi

I signed in here to comment THIS IMPORTANT ISSUE in your script (and forks as TonyFlint's).

The problem is the method to replace the vulnerable bash: a symbolic link to the patched bash. In my Debian 5 Lenny nodes, the /usr/local resides on A SEPARATE file system from the ROOT FILE SYSTEM, therefore /bin and /usr/local/bin reside on differente devices.

This causes an unbootable system because, in that case, the /bin/bash is not available to execute the scripts /etc/init.d/rcS, /etc/init.d/rc.

Therefore, instead of create a symbolic link, copy the patched binary bash into /bin.

Best regards