Shellshock vulnerability fix for legacy systems
For distributions with live support, Shellshock is removed by simply updating the bash package. But if updates are no longer available, solving the problem will be more difficult. There are only two working options - to update bash in a different way or to abandon bash in favor of another shell-interpreter.
1. Install from a package from the Debian wheezy repository to Debian lenny.
We give /etc/apt/source.list from
to
Make sure that you do not have a / etc / apt / preference file whose settings might interfere with the installation of software from wheezy repositories. After that, add the key with which packages are signed in wheezy and update the package database and install the bash-static package.
We check the installed bash-static and where / bin / sh points now:
Next, it is important to carefully follow the steps:
We check the result, it should turn out like this:
Make sure that everything is ok with the shell before logging out of the system. For example, trying to log in from another console. Since in case the shell specified for the user is unavailable (usually in / etc / passwd), you can lose the ability to access the system again.
After the operation is completed, it is worth commenting in /etc/apt/source.list
2. Other distributions.
For other distributions, you can try the static bash build from Debian wheezy or the build from ftp.ssnab.net/pub/bash (compiled in step 3)
You can download the Debian package here: packages.debian.org/wheezy/bash-static
The file is unzipped either by the dpkg utility (relevant for older versions of ubuntu) or the ar archiver. The latter comes as part of the binutils package.
or
Be sure to save the old version of bash in /bin/bash.old before uploading the downloaded binary there.
3. Self-compilation
This may be necessary if you have an old kernel and bash from wheezy does not work with complaints about the absence of any system call, if another operating system is used, as well as for cases where assembly with some then special options.
Bash has a somewhat tricky system of uploading source codes: separately there is an archive of a certain version (in our case 4.3) and a separate directory with patches for errors that were found from the moment of its release until the appearance of an updated version. Therefore, we download both of them for the independent installation of patches. On Debian lenny, it would look like this:
Install the necessary packages for compilation. To do this, you may need to configure the repositories in the correct way for archives, as is the case with lenny in the first paragraph.
For CentOS, accordingly, will be
To avoid the "multiple definition of` free` "error, use the --without-bash-malloc option
Copy the resulting bash to / bin and use it instead of the system bash as described previously:
Binary files collected in this way on pure Debian 5 and CentOS 5 can be downloaded here: ftp.ssnab.net/pub/bash
4) If you can’t compile bash yourself or pull it out from other distributions, you can opt out of bash and use some some other shell interpreter, for example, / bin / dash. Rename / bin / bash to /bin/bash.vulnerable and create a symbolic link / bin / bash leading to an alternate interpreter.
There is some risk in this, because scripts containing bashisms will stop working - code specific for bash. If this turns out to be startup or important system scripts, this can lead to system inoperability. But for such scripts, if you are sure that they will not be called in a hostile environment, you can explicitly indicate the original bash at the beginning of the file with the interpreter: #! / Bin / bash.vulnerable
Update the procedure for obtaining the key for wheezy has been added
1. Install from a package from the Debian wheezy repository to Debian lenny.
We give /etc/apt/source.list from
deb http://ftp.debian.org/debian lenny main contrib
deb http://security.debian.org/ lenny/updates main contrib
to
deb http://archive.debian.org/debian lenny main
deb http://archive.debian.org/debian-security lenny/updates main
deb http://archive.debian.org/backports.org lenny-backports main
deb http://ftp.debian.org/debian wheezy main contrib
deb http://security.debian.org/ wheezy/updates main contrib
Make sure that you do not have a / etc / apt / preference file whose settings might interfere with the installation of software from wheezy repositories. After that, add the key with which packages are signed in wheezy and update the package database and install the bash-static package.
# apt-key adv --recv-keys --keyserver pgp.mit.edu 8B48AD6246925553
# apt-get update && apt-get install -y bash-static
We check the installed bash-static and where / bin / sh points now:
# ls -la /bin/sh /bin/bash*
-rwxr-xr-x 1 root root 700492 Май 12 2008 /bin/bash
-rwxr-xr-x 1 root root 1410128 Апр 10 2010 /bin/bash-static
lrwxrwxrwx 1 root root 4 Окт 1 00:32 /bin/sh -> bash
Next, it is important to carefully follow the steps:
# mv /bin/bash /bin/bash.old && ln -s bash-static /bin/bash
We check the result, it should turn out like this:
# ls -la /bin/sh /bin/bash*
lrwxrwxrwx 1 root root 11 Окт 1 00:51 /bin/bash -> bash-static
-rwxr-xr-x 1 root root 700492 Май 12 2008 /bin/bash.old
-rwxr-xr-x 1 root root 1410128 Апр 10 2010 /bin/bash-static
lrwxrwxrwx 1 root root 4 Окт 1 00:32 /bin/sh -> bash
Make sure that everything is ok with the shell before logging out of the system. For example, trying to log in from another console. Since in case the shell specified for the user is unavailable (usually in / etc / passwd), you can lose the ability to access the system again.
After the operation is completed, it is worth commenting in /etc/apt/source.list
#deb http://ftp.debian.org/debian wheezy main contrib
#deb http://security.debian.org/ wheezy/updates main contrib
2. Other distributions.
For other distributions, you can try the static bash build from Debian wheezy or the build from ftp.ssnab.net/pub/bash (compiled in step 3)
You can download the Debian package here: packages.debian.org/wheezy/bash-static
# wget http://security.debian.org/debian-security/pool/updates/main/b/bash/bash-static_4.2+dfsg-0.1+deb7u3_i386.deb
The file is unzipped either by the dpkg utility (relevant for older versions of ubuntu) or the ar archiver. The latter comes as part of the binutils package.
# mkdir tmp
# dpkg -x bash-static_4.1-3_i386.deb tmp/
or
# ar x bash-static_4.1-3_i386.deb
Be sure to save the old version of bash in /bin/bash.old before uploading the downloaded binary there.
3. Self-compilation
This may be necessary if you have an old kernel and bash from wheezy does not work with complaints about the absence of any system call, if another operating system is used, as well as for cases where assembly with some then special options.
Bash has a somewhat tricky system of uploading source codes: separately there is an archive of a certain version (in our case 4.3) and a separate directory with patches for errors that were found from the moment of its release until the appearance of an updated version. Therefore, we download both of them for the independent installation of patches. On Debian lenny, it would look like this:
Install the necessary packages for compilation. To do this, you may need to configure the repositories in the correct way for archives, as is the case with lenny in the first paragraph.
# apt-get install libc-dev gcc automake autoconf make patch
For CentOS, accordingly, will be
# yum install glibc-devel glibc-static make automake autoconf patch
# cd /usr/src
# wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
# tar xzf bash-4.3.tar.gz
# cd bash-4.3
# wget -cr --reject 'index.*' --reject '*.sig' -l1 http://ftp.gnu.org/gnu/bash/bash-4.3-patches/
# find ftp.gnu.org/gnu/bash/bash-4.3-patches/ -type f | sort -u | xargs -l1 -I % cat % | patch -p0
To avoid the "multiple definition of` free` "error, use the --without-bash-malloc option
# ./configure --enable-static-link --without-bash-malloc --enable-job-control --enable-history
# make
# strip bash
Copy the resulting bash to / bin and use it instead of the system bash as described previously:
# cp bash /bin/bash.new && mv /bin/bash /bin/bash.old && ln -s bash.new /bin/bash
Binary files collected in this way on pure Debian 5 and CentOS 5 can be downloaded here: ftp.ssnab.net/pub/bash
4) If you can’t compile bash yourself or pull it out from other distributions, you can opt out of bash and use some some other shell interpreter, for example, / bin / dash. Rename / bin / bash to /bin/bash.vulnerable and create a symbolic link / bin / bash leading to an alternate interpreter.
There is some risk in this, because scripts containing bashisms will stop working - code specific for bash. If this turns out to be startup or important system scripts, this can lead to system inoperability. But for such scripts, if you are sure that they will not be called in a hostile environment, you can explicitly indicate the original bash at the beginning of the file with the interpreter: #! / Bin / bash.vulnerable
Update the procedure for obtaining the key for wheezy has been added