You can upgrade to the latest .deb on precise until utopic and get it fixed:
Run:
env x='() { :;}; echo vulnerable' bash -c 'echo hello' ;
apt-get update;
apt-get -y install bash;
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
Detailed Proof of the Fix:
bash (4.3-9ubuntu2) utopic; urgency=medium
* SECURITY UPDATE: incorrect function parsing
- debian/patches/CVE-2014-6271.diff: fix function parsing in
builtins/common.h, builtins/evalstring.c, subst.c, variables.c.
- CVE-2014-6271
~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.5 LTS
Release: 12.04
Codename: precise
~# env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello
~# apt-get install bash
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
bash
After this operation, 12.3 kB of additional disk space will be used.
Get:1 http://de.archive.ubuntu.com/ubuntu/ precise-updates/main bash i386 4.2-2ubuntu2.3 [616 kB]
Fetched 616 kB in 0s (964 kB/s)
Setting up bash (4.2-2ubuntu2.3) ...
Fixed!:
~# env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
Alternatively here is the patch you can run locally:
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
#build and install
./configure --prefix=/ && make && make install
cd ..
cd ..
rm -r src
For Mac users try: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash…
- Log in to post comments