Shellshock Bash vulnerability fix for Ubuntu & Debian Linux (also MACs)

Submitted by ricardo on Fri, 09/26/2014 - 13:44

You can upgrade to the latest .deb on precise until utopic and get it fixed:

env x='() { :;}; echo vulnerable' bash -c 'echo hello' ;
apt-get update;
apt-get -y install bash;
env x='() { :;}; echo vulnerable' bash -c 'echo hello'

Detailed Proof of the Fix:

bash (4.3-9ubuntu2) utopic; urgency=medium
* SECURITY UPDATE: incorrect function parsing
- debian/patches/CVE-2014-6271.diff: fix function parsing in
builtins/common.h, builtins/evalstring.c, subst.c, variables.c.
- CVE-2014-6271

~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.5 LTS
Release: 12.04
Codename: precise

~# env x='() { :;}; echo vulnerable' bash -c 'echo hello'

~# apt-get install bash
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
After this operation, 12.3 kB of additional disk space will be used.
Get:1 precise-updates/main bash i386 4.2-2ubuntu2.3 [616 kB]
Fetched 616 kB in 0s (964 kB/s)
Setting up bash (4.2-2ubuntu2.3) ...

~# env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

Alternatively here is the patch you can run locally:
mkdir src
cd src
#download all patches
for i in $(seq -f "%03g" 0 25); do wget$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
#build and install
./configure --prefix=/ && make && make install
cd ..
cd ..
rm -r src

For Mac users try:…

Powered by Drupal