16

A mechanism for remote code execution through Bash has been widely reported yesterday and today (September 24, 2014.) http://seclists.org/oss-sec/2014/q3/650 Reported as CVE-2014-7169 or CVE-2014-6271

For reasons too stupid for me to explain in public, I am responsible for a server running RHEL 4 and with no update subscription. I could build a clone to test this, but I hope someone will have a direct answer.

  1. Has /bin/bash from Centos 4 been patched, or will it be?
  2. Can I just plop a (presumably patched) Centos 4 /bin/bash into my RHEL system as a workaround that will buy me several weeks? (I need until December 10)
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Bob Brown
  • 273
  • 1
  • 3
  • 11

4 Answers4

21

A patch has been provided by Oracle for el4 :

https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.1.el4.src.rpm

https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm

https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.3.el4.src.rpm

https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.el4.src.rpm

As it is a src RPM, you need to compile then rpmbuild.

or use this link to avoid the build

http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.1.el4.i386.rpm

http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.3.el4.i386.rpm

I tested it on a 4.9 i386 system, passed the exploit test I have. (Ted)

Jina Martin
  • 211
  • 1
  • 3
  • 1
    The latest version is now **3.0-27.0.2**: https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm (source) & http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.2.el4.i386.rpm (i386) - this appears to fix the CVE-2014-7169 issue too (tested with code from https://access.redhat.com/articles/1200223). – Dave James Miller Sep 26 '14 at 14:24
  • Oracle just went up a notch in my book. – Steve Kehlet Sep 26 '14 at 21:43
  • Huh, according to http://www.oracle.com/us/support/library/lifetime-support-hardware-301321.pdf , Linux 4 is only supported until Feb 2013. They must have made an exception. Very cool. – clacke Sep 29 '14 at 20:41
  • These packages also work for Fedora Core 3 and Fedora Core 4. – Gene Sep 30 '14 at 16:48
  • Also, 64bit **3.0-27.0.3** http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/bash-3.0-27.0.3.el4.x86_64.rpm – Liam Oct 03 '14 at 09:12
20

I had to patch an old CentOS 4.9 server, so I pulled the latest source RPM from the Red Hat FTP and added the upstream patch from the GNU FTP. The steps are below:

First, follow the "Setup" procedure from http://bradthemad.org/tech/notes/patching_rpms.php:

echo "%_topdir    /home/$(whoami)/src/rpm" > ~/.rpmmacros
mkdir -p ~/src/rpm/{BUILD,RPMS,SOURCES,SPECS,SRPMS
mkdir -p ~/src/rpm/RPMS/{i386,i486,i586,i686,noarch,athlon}

Then run the following commands from your %_topdir:

cd ~/src/rpm
wget http://ftp.redhat.com/redhat/linux/updates/enterprise/4ES/en/os/SRPMS/bash-3.0-27.el4.src.rpm
rpm -ivh bash-3.0-27.el4.src.rpm
cd SOURCES
wget http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-017
cd ..

Patch SPECS/bash.spec with this diff:

4c4
< Release: 27%{?dist}
---
> Release: 27.2%{?dist}
28a29
> Patch17: bash30-017
110c111,112
< #%patch16 -p0 -b .016
---
> %patch16 -p0 -b .016
> %patch17 -p0 -b .017

Then finish with these commands:

rpmbuild -ba SPECS/bash.spec
sudo rpm -Uvh RPMS/i386/bash-3.0-27.2.i386.rpm

Edit: The latest comments in the Red Hat Bugzilla say the patch is incomplete. The new ID is CVE-2014-7169.

Edit: There are two additional patches from gnu.org, so also download those into the same SOURCES directory:

wget http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-018
wget http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-019

Then also edit the SPECS/bash.spec as follows ("Release" numbering optional):

4c4
< Release: 27%{?dist}
---
> Release: 27.2.019%{?dist}
28a29,31
> Patch17: bash30-017
> Patch18: bash30-018
> Patch19: bash30-019
110c113,116
< #%patch16 -p0 -b .016
---
> %patch16 -p0 -b .016
> %patch17 -p0 -b .017
> %patch18 -p0 -b .018
> %patch19 -p0 -b .019
tstaylor7
  • 301
  • 2
  • 4
14

RHEL 4 is in it's "extended life" phase and security updates will be only available to paying customers. CentOS 4 is out of support since March 2012. No further updates are available for this since this time.

Your only options are to

  • Buy a support contract with RedHat
  • Try to build your own package for Bash.
  • Or the winning option: Retire this machine and use this security issue as an incentive to do so.
Sven
  • 97,248
  • 13
  • 177
  • 225
  • 4
    Thank you. Because I used my real name here, I cannot explain in public why I can't retire the machine before December 10. Ditto with why it's three versions back with no contract. I've upvoted your answer, and thanks. I'll accept it if no one comes up with a rescue pretty soon. – Bob Brown Sep 25 '14 at 02:25
  • 2
    @BobBrown What? You've actually used the fictional name I use for my administrative accounts. Weird. – HopelessN00b Sep 25 '14 at 18:39
  • 6
    I blame my parents. – Bob Brown Sep 25 '14 at 19:08
2

A kind soul named Lewis Rosenthal has placed updated Bash RPMS for CentOS 4 up on his FTP server. The bash-3.0-27.3 RPM is believed to address CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187. He has a README with more information, and there was some discussion on the CentOS forums. Don't forget this helpful all-in-one check script--note that the CVE-2014-7186 check will fail with a segmentation fault, but it's still believed to be okay, because some other tests for that vulnerability turn up okay.

I would say, either follow @tstaylor7's instructions to build your own patched RPM from source or install the above. When I tried, they both had the same results in that check script.

Steve Kehlet
  • 1,055
  • 1
  • 10
  • 16