24
6
The test command
x='() { :;}; echo vulnerable' bash
shows that my Debian 8 (Jessie) installation is vulnerable, even with the latest updates. Research shows that there's a patch for stable and unstable, but that testing is unpatched.
I figure that the patch will make it to testing in a couple of days, but this actually looks nasty enough to be paranoid about. Is there any way to get the package from unstable and install it without breaking my system? Upgrading to unstable looks like it will cause more problems than it solves.
According to Bob, there is a second Shellshock vulnerability, which is fixed in a second patch. The test for it is supposed to be:
env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("
But I'm not skilled enough in Bash to work out what this means or why it's a problem. At any rate, it does something weird, which is prevented by bash_4.3-9.2_amd64.deb on 64-bit systems, which at time of editing is in stable and unstable but not in Jessie/testing.
To fix this for Jessie, get the latest Bash from unstable and install it with dpkg -i
.
Jemenake offers
wget http://ftp.debian.org/debian/pool/main/b/bash/bash_4.3-9.2_$(dpkg --print-architecture).deb
as a command which will get the 4.3-9.2 version for your machine.
And you can follow that with:
sudo dpkg -i bash_4.3-9.2_$(dpkg --print-architecture).deb
to install it.
Should you need further patches from unstable for your Jessie system, this is clearly the way to go (mutatis mutandis).
1Thanks, I did that and it fixed the problem without noticeably destroying anything. Presumably it will eventually get overwritten in the normal course of updates? – John Lawrence Aspden – 2014-09-25T15:16:33.217
3The above link is fine if you're running a browser in a GUI. Less so if you're running lynx in a shell session. If you want something you can paste right into your command-line to grab it, try:
wget http://ftp.debian.org/debian/pool/main/b/bash/bash_4.3-9.1_$(dpkg --print-architecture).deb
It will get the right architecture for your box. – Jemenake – 2014-09-25T17:33:00.907
1@Jemenake You should post that as a separate answer. – Excellll – 2014-09-25T17:37:32.800
This was definitely the answer I wanted, but now that the update's made it to Jessie, I think it's better if the accepted answer is the one people looking now need, so I'm moving the tick. Thanks though! – John Lawrence Aspden – 2014-09-26T18:54:16.940
Actually, there are two shellshock bugs, and the fix for the second one is now in sid but not jessie, so this is in fact still the right answer, (make sure you get 4.3-9.2!), although doubtless the situation will resolve soon. – John Lawrence Aspden – 2014-09-26T20:02:22.523