bash env bug on legacy centos 4.8 system

A 5 star hangout for overworked and underpaid system admins.
_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

bash env bug on legacy centos 4.8 system

Post by _ck_ » 2014/09/25 01:47:47

So let's say you were stuck with an ancient centos 4.8 server that simply has no upgrade path until one day the hardware dies.

It survived heartbleed because ironically the libraries were too old to have the feature in the first place.

But it won't survive the bash environment bug.

Options?
Any chance I can force the CentOS 5 bash rpm to install without breaking it?
Or do I have to try compiling bash from scratch? Machine is very underpowered.

Since the centos4 forums are (rightly) closed, I figured I'd post here in case someone is feeling generous.

Looks like Redhat is offering a patch for their ELS

Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.2

could I build it from the srpm?

panayotb
Posts: 2
Joined: 2014/09/25 05:24:10

Re: bash env bug on legacy centos 4.8 system

Post by panayotb » 2014/09/25 05:33:17

Hello,

I could not find the source rpm for Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.2

So just downloaded http://vault.centos.org/4.9/apt/i386/SR ... l4.src.rpm

and this patch: http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-017

All went well and server no more shows 'vulnerable' with this check:

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

Re: bash env bug on legacy centos 4.8 system

Post by _ck_ » 2014/09/25 10:22:35

panayotb wrote:All went well and server no more shows 'vulnerable' with this check
Many thanks for the idea.

Have never patched an srpm before so I guess I am going to be learning something today.

_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

Re: bash env bug on legacy centos 4.8 system

Post by _ck_ » 2014/09/25 11:25:32

Okay this is what I came up with.
Corrections and suggestions welcome:

(I know it is strongly cautioned not to work with rpmbuild as root but I could not figure out how to make it work otherwise)

Code: Select all

mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}  
echo "%_topdir /root/rpmbuild/" > /root/.rpmmacros
rpm -Uvh http://vault.centos.org/4.9/apt/i386/SRPMS.updates/bash-3.0-27.el4.src.rpm
cd /root/rpmbuild/SOURCES/
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
# edit bash30-017 and change any reference to 3.0.16 to just 3.0
cd /root/rpmbuild/SPECS/
#  edit  /root/rpmbuild/SPECS/bash.spec
#  and add where appropriate
# %patch17 -p0 -b .017
# Patch17: bash30-017
rpmbuild -ba bash.spec
# wait to see if it completes cleanly, may take several minutes
# yum install /root/rpmbuild/RPMS/i386/bash-3.0-27.i386.rpm  # will not work, yum thinks it is the same
rpm -Fvh /root/rpmbuild/RPMS/i386/bash-3.0-27.i386.rpm
I was never able to get the package to install correctly but I disabled the temporary file delete at the end of the bash.spec file and then examined the bash binary and it was ineed 3.0.17 after the patches. So I manually copied it to /bin/bash and now the env bug test properly fails.

panayotb
Posts: 2
Joined: 2014/09/25 05:24:10

Re: bash env bug on legacy centos 4.8 system

Post by panayotb » 2014/09/25 23:21:41

I did almost the same things.

- Skipped first 2 lines about changing the topdir, so everything was built in the default /usr/src/redhat (also built it as root)
- Did not edit bash30-017
- In spec file also had to uncomment this line

Code: Select all

%patch16 -p0 -b .016
to be able to update the package with rpm -Uvh, also edit this line is spec file (it is line 4):

Code: Select all

Release: 27%{?dist}.1
Now we wait for the new patch to come out and repeat the procedure ;) as it turns out vulnerability was not quite fixed with the first one (CVE-2014-7169) ..

_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

Re: bash env bug on legacy centos 4.8 system

Post by _ck_ » 2014/09/26 03:44:52

panayotb wrote:Now we wait for the new patch to come out and repeat the procedure ;) as it turns out vulnerability was not quite fixed with the first one (CVE-2014-7169) ..
Looks like they just announced/shipped the second one

http://lists.centos.org/pipermail/cento ... 20593.html

But we'll have to diff what they did since I do not see a second patch on gnu/bash yet?

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: bash env bug on legacy centos 4.8 system

Post by gerald_clark » 2014/09/26 03:57:09

So, you are running an obsolete and unsupported system with years of exploits and you are worried about bash?

LewisR
Posts: 16
Joined: 2014/09/26 04:40:20
Location: New York, USA
Contact:

Re: bash env bug on legacy centos 4.8 system

Post by LewisR » 2014/09/26 05:03:20

Just a quick thanks for the tips. I've managed to patch a lone 4.8 box which runs a non-upgradeable app and which was indeed vulnerable.

I'll run the second round of this, once I get to see what the new patch looks like. Meanwhile, if anyone is interested in just grabbing binaries, I have them available on my ftp server .

Cheers
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------

_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

Re: bash env bug on legacy centos 4.8 system

Post by _ck_ » 2014/09/26 10:33:54

LewisR wrote:I'll run the second round of this, once I get to see what the new patch looks like.
I just realized that 4.9 is technically the last of 4.x but most people think 4.8

Anyway, it looks like they shipped a second patch for bash 3.0 last night but it hasn't made it to gnu.org/bash yet

it will be bash30-018

eventually will be here http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/
as http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-018

If you don't want to wait and trust it from the email list, then it is here http://seclists.org/oss-sec/2014/q3/734

notes to self to append the changes from 017

Code: Select all

1. put  bash30-018 into SOURCES
2. edit bash30-018 to remove reference to 3.0.17 to just  3.0
3. go into SPECS
4. edit bash.spec
5. change third line to:   Release: 27%{?dist}.2
6. add  Patch18: bash30-018
7. add  %patch18 -p0 -b .018
8. rpmbuild -ba bash.spec
9. go into RPMS/i386
10. install bash-3.0-27.2.i386.rpm either via rpm -F or edit yum conf to temp disable gpg check
If you see today's date instead of the word "date" or a file named "echo" is made when running this after second patch
then it is NOT working

Code: Select all

env X='() { (a)=>\' sh -c "echo date"; cat echo

LewisR
Posts: 16
Joined: 2014/09/26 04:40:20
Location: New York, USA
Contact:

Re: bash env bug on legacy centos 4.8 system

Post by LewisR » 2014/09/26 20:55:08

_ck_ wrote: I just realized that 4.9 is technically the last of 4.x but most people think 4.8

Anyway, it looks like they shipped a second patch for bash 3.0 last night but it hasn't made it to gnu.org/bash yet

it will be bash30-018

eventually will be here http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/
as http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-018

If you don't want to wait and trust it from the email list, then it is here http://seclists.org/oss-sec/2014/q3/734
Thanks for this. The patch still has not made it to the official sources, but I'll check into it and will likely download from the list and build. I'll follow-up with a post here.

I'll probably do a build for x64, as well.

Cheers
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------

Post Reply