How do I fix the Shellshock security vulnerability in debian testing/jessie?

The test command

x='() { :;}; echo vulnerable' bash

shows that my Debian 8 (Jessie) installation is vulnerable, even with the latest updates. Research shows that there's a patch for stable and unstable, but that testing is unpatched.

I figure that the patch will make it to testing in a couple of days, but this actually looks nasty enough to be paranoid about. Is there any way to get the package from unstable and install it without breaking my system? Upgrading to unstable looks like it will cause more problems than it solves.

According to Bob, there is a second Shellshock vulnerability, which is fixed in a second patch. The test for it is supposed to be:

 env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("

But I'm not skilled enough in Bash to work out what this means or why it's a problem. At any rate, it does something weird, which is prevented by bash_4.3-9.2_amd64.deb on 64-bit systems, which at time of editing is in stable and unstable but not in Jessie/testing.

To fix this for Jessie, get the latest Bash from unstable and install it with dpkg -i.

Jemenake offers

wget http://ftp.debian.org/debian/pool/main/b/bash/bash_4.3-9.2_$(dpkg --print-architecture).deb

as a command which will get the 4.3-9.2 version for your machine.

And you can follow that with:

sudo dpkg -i bash_4.3-9.2_$(dpkg --print-architecture).deb

to install it.

Should you need further patches from unstable for your Jessie system, this is clearly the way to go (mutatis mutandis).

John Lawrence Aspden

Posted 2014-09-25T13:41:39.807

Reputation: 713

Answers

Download the package from unstable via this link. You can check the dependencies there as well, although it looks like the unstable bash has the same dependencies as the bash from testing. Install the downloaded deb with the following.

dpkg -i

wurtel

Posted 2014-09-25T13:41:39.807

Reputation: 1 359

1Thanks, I did that and it fixed the problem without noticeably destroying anything. Presumably it will eventually get overwritten in the normal course of updates? – John Lawrence Aspden – 2014-09-25T15:16:33.217

3The above link is fine if you're running a browser in a GUI. Less so if you're running lynx in a shell session. If you want something you can paste right into your command-line to grab it, try:
wget http://ftp.debian.org/debian/pool/main/b/bash/bash_4.3-9.1_$(dpkg --print-architecture).deb

It will get the right architecture for your box. – Jemenake – 2014-09-25T17:33:00.907

1@Jemenake You should post that as a separate answer. – Excellll – 2014-09-25T17:37:32.800

This was definitely the answer I wanted, but now that the update's made it to Jessie, I think it's better if the accepted answer is the one people looking now need, so I'm moving the tick. Thanks though! – John Lawrence Aspden – 2014-09-26T18:54:16.940

Actually, there are two shellshock bugs, and the fix for the second one is now in sid but not jessie, so this is in fact still the right answer, (make sure you get 4.3-9.2!), although doubtless the situation will resolve soon. – John Lawrence Aspden – 2014-09-26T20:02:22.523

I've edited this answer for the additional bash fixes that were released on Monday.

For Ubuntu 12.04, I ran an update, but also had to run the install for bash to get rid of the vulnerability.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

That command shows the system is vulnerable, so run the update.

apt-get update && apt-get -y upgrade

Test again.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

Still vulnerable.

apt-get install -y bash

Test again.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Edit: After the additional patches were released, the output has changed.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Yay! Fixed. This should work for other versions, but I haven't tested it beyond 12.04.

Also, runamok's reply below works well, so give him an upvote!

Tom Damon

Posted 2014-09-25T13:41:39.807

Reputation: 456

6Just apt-get update && apt-get install -y bash seems to work. – runamok – 2014-09-25T20:22:57.657

Based on the answer by @JabawokJayUK I'm still failing the first test after the bash update in Ubuntu 12.04. – Birla – 2014-09-26T02:26:21.497

I am only getting this is a test but not the error and warning. In my local machine I do get the error, but in my server not. What does that meas? Is my server patched? Thank you. – ElBaulP – 2014-09-26T08:44:35.053

It seems the repository are up to date now, because I did not have to perform the apt-get install -y step, problem was solved alredy after upgrade. – user316566 – 2014-09-26T10:08:33.300

1This really doesn't answer the question about Debian testing/jessie. Ubuntu is a diffrent distribution with independent package repositories and patching schedules. – Bob – 2014-09-26T10:59:18.560

The patch is not complete, try this env -i X='() { (a)=>\' bash -c 'echo date'; cat echo (https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23)

– Fabien Sa – 2014-09-28T12:36:59.673

Works on debian unstable too – GuySoft – 2014-09-28T13:51:42.167

An alternative for Debian 6.0 (Squeeze) without fetching packages from Debian 7 (Wheezy):

Use the LTS security repository that has the patch backported.

Add this to /etc/apt/sources.list:

#LTS security
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Then run apt-get update && apt-get install bash.

Via: linuxquestions

poncha

Posted 2014-09-25T13:41:39.807

Reputation: 261

Works for debian 6. We'd always keep LTC security in the list! – stanleyxu2005 – 2014-09-28T03:12:36.860

apt-get update before apt-get dist-upgrade and you will get the patch. Just did it myself and there was a bash upgrade pushed which fixes the problem.

MGD_Toronto

Posted 2014-09-25T13:41:39.807

Reputation: 41

2The problem was that Debian testing did not yet have the updated package, so downloading it manually from unstable and installing that was the most simple fix at that time; the solution given in this answer would not have worked. (Maybe by now it will, because the package may have migrated to testing.) – wurtel – 2014-09-26T07:00:37.360

This doesn't answer the original question, but it's what people need to do now, so I'm accepting it so that it's the first thing people will see. The 'real' answer to my difficulty (it's in unstable and in stable but not in testing) is wurtel's answer using manual download of the new bash-????.deb and dpkg -i. – John Lawrence Aspden – 2014-09-26T18:57:43.780

I also think this is the answer for Ubuntu, now that they've pushed their fix properly, and probably for any other debian based distribution which is still maintained to the point where people have pushed fixes. – John Lawrence Aspden – 2014-09-26T19:06:35.930

Actually there are two shellshock bugs and the fix for the second one hasn't made it to jessie yet. – John Lawrence Aspden – 2014-09-26T20:00:31.690

This is still a valid solution and will remain so as long as the Debian testing security team is pushing updates; they may not have had it in testing at the time of OP question. One other option is setting all users to use Dash. This is mainly a server issue and not – MGD_Toronto – 2014-09-28T11:13:57.597

something that common desktop users need to panic about. If a package gets tainted upstream it could be an issue but aside from that I fail to see why anyone would leave themselves open to this attack as a desktop user.

The blackhats have to gain access to the shell and be using bash to execute an attack. – MGD_Toronto – 2014-09-28T11:21:47.277

I fixed it on my Hackintosh by:

$ brew install bash

$ x='() { :;}; echo vulnerable' bash
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash-4.3$

Marcos Maciel

Posted 2014-09-25T13:41:39.807

Reputation: 31

2do not forget to install the brew before... – Marcos Maciel – 2014-09-26T14:14:42.667

I've written an article on how to do this with apt-get on old Ubuntu versions. You basically update your sources.list to the newest and then run apt-get update and upgrade bash. You can read it step for step or copypaste it from here.

Summary:

sudo sed -i 's/YOUR_OS_CODENAME/trusty/g' /etc/apt/sources.list
sudo apt-get update
sudo apt-get install --only-upgrade bash

Read the article if you use old-releases.ubuntu.com and don't forget that you might want to change it back:

sudo sed -i 's/trusty/YOUR_OS_CODENAME/g' /etc/apt/sources.list

Erik Duindam

Posted 2014-09-25T13:41:39.807

Reputation: 31

uh… this will leave your system with Trusty in sources.list. next time you update, the system will upgrade to Trusty. this will SEVERELY break your system. – strugee – 2014-09-27T02:43:20.510

The fixed version (see changelog) for the Bash package is in Debian 8 (Jessie) now (see package info), as of 2014-09-26 14:18 UTC.

The second fix, mentioned in the comments below, is also in the Jessie repository now. There is no need to install from unstable. See the package information link above.

There is no need to install from unstable any more.

Just run:

# aptitude update

followed by:

# aptitude upgrade

Then verify that the vulnerability is gone (in a newly opened shell):

$ x='() { :;}; echo vulnerable' bash
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

dubadu

Posted 2014-09-25T13:41:39.807

Reputation: 131

Doesn't fix the followup CVE-2014-7169 yet. – Bob – 2014-09-26T14:46:32.573

@Bob, I think that's only relevant to Ubuntu? And presumably Ubuntu have already fixed it. – John Lawrence Aspden – 2014-09-26T18:55:38.630

@JohnLawrenceAspden Nope. Try running env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :(" - if it prints still vulnerable, then the latter vuln isn't patched yet. AFAIK, jessie is still vulnerable. Note that that command will create a file named echo in the current directory if successful, and you'll need to delete it before re-running the test. – Bob – 2014-09-26T19:22:05.830

@Bob, I can't make head or tail of this, what is the bit up to the semicolon doing? – John Lawrence Aspden – 2014-09-26T19:51:09.947

@Bob, but whatever it does, you're right that upgrading to the 4.3-9.2 version in unstable stops it! – John Lawrence Aspden – 2014-09-26T19:59:51.693