Discussion:
[Ltib] patch for Bash bug
Todd Sampson
2014-09-30 20:06:31 UTC
Permalink
Is there a patch available for Bash? I notice most of the tools in my /bin
are linked to Busybox except for Bash.
Peter Barada
2014-09-30 21:18:08 UTC
Permalink
Post by Todd Sampson
Is there a patch available for Bash? I notice most of the tools in my
/bin are linked to Busybox except for Bash.
_______________________________________________
LTIB home page: http://ltib.org
Ltib mailing list
https://lists.nongnu.org/mailman/listinfo/ltib
I've got one I'll send out tomorrow as a tarball (since it kicks bash up
to the latest version with patches 001-025).
--
Peter Barada
***@logicpd.com
Peter Barada
2014-10-01 14:02:12 UTC
Permalink
Post by Peter Barada
Post by Todd Sampson
Is there a patch available for Bash? I notice most of the tools in my
/bin are linked to Busybox except for Bash.
_______________________________________________
LTIB home page: http://ltib.org
Ltib mailing list
https://lists.nongnu.org/mailman/listinfo/ltib
I've got one I'll send out tomorrow as a tarball (since it kicks bash
up to the latest version with patches 001-025).
Since I can't send the bash tarball through email due to size, grab the
bash-4.3 tarball from http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz and
place it (and the attached patch and md5 files) in your LPP (local
package pool in /opt/ltib/pkgs), and also replace
dist/lfs-5.1/bash/bash.spec with the attached bash.spec.

Execute "./ltib -p bash" and you'll end up with bash updated to version
4.3.25(1) which passes the Shellshock bug test:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

See http://www.kb.cert.org/vuls/id/252743 for information on the
Shellshock bug.
--
Peter Barada
***@logicpd.com
Mike Goins
2014-10-03 09:50:57 UTC
Permalink
FYI, something converted the line endings to dos format. md5sum
failed and strange errors on the spec file processing. All OK after
running dos2unix.
Post by Todd Sampson
Is there a patch available for Bash? I notice most of the tools in my /bin
are linked to Busybox except for Bash.
_______________________________________________
LTIB home page: http://ltib.org
Ltib mailing list
https://lists.nongnu.org/mailman/listinfo/ltib
I've got one I'll send out tomorrow as a tarball (since it kicks bash up to
the latest version with patches 001-025).
Since I can't send the bash tarball through email due to size, grab the
bash-4.3 tarball from http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz and place
it (and the attached patch and md5 files) in your LPP (local package pool in
/opt/ltib/pkgs), and also replace dist/lfs-5.1/bash/bash.spec with the
attached bash.spec.
Execute "./ltib -p bash" and you'll end up with bash updated to version
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
See http://www.kb.cert.org/vuls/id/252743 for information on the Shellshock
bug.
--
Peter Barada
_______________________________________________
LTIB home page: http://ltib.org
Ltib mailing list
https://lists.nongnu.org/mailman/listinfo/ltib
Continue reading on narkive:
Loading...