bash env bug on legacy centos 4.8 system
bash env bug on legacy centos 4.8 system
So let's say you were stuck with an ancient centos 4.8 server that simply has no upgrade path until one day the hardware dies.
It survived heartbleed because ironically the libraries were too old to have the feature in the first place.
But it won't survive the bash environment bug.
Options?
Any chance I can force the CentOS 5 bash rpm to install without breaking it?
Or do I have to try compiling bash from scratch? Machine is very underpowered.
Since the centos4 forums are (rightly) closed, I figured I'd post here in case someone is feeling generous.
Looks like Redhat is offering a patch for their ELS
Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.2
could I build it from the srpm?
It survived heartbleed because ironically the libraries were too old to have the feature in the first place.
But it won't survive the bash environment bug.
Options?
Any chance I can force the CentOS 5 bash rpm to install without breaking it?
Or do I have to try compiling bash from scratch? Machine is very underpowered.
Since the centos4 forums are (rightly) closed, I figured I'd post here in case someone is feeling generous.
Looks like Redhat is offering a patch for their ELS
Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.2
could I build it from the srpm?
Re: bash env bug on legacy centos 4.8 system
Hello,
I could not find the source rpm for Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.2
So just downloaded http://vault.centos.org/4.9/apt/i386/SR ... l4.src.rpm
and this patch: http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-017
All went well and server no more shows 'vulnerable' with this check:
I could not find the source rpm for Red Hat Enterprise Linux 4 Extended Lifecycle Support - bash-3.0-27.el4.2
So just downloaded http://vault.centos.org/4.9/apt/i386/SR ... l4.src.rpm
and this patch: http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-017
All went well and server no more shows 'vulnerable' with this check:
Code: Select all
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Re: bash env bug on legacy centos 4.8 system
Many thanks for the idea.panayotb wrote:All went well and server no more shows 'vulnerable' with this check
Have never patched an srpm before so I guess I am going to be learning something today.
Re: bash env bug on legacy centos 4.8 system
Okay this is what I came up with.
Corrections and suggestions welcome:
(I know it is strongly cautioned not to work with rpmbuild as root but I could not figure out how to make it work otherwise)
I was never able to get the package to install correctly but I disabled the temporary file delete at the end of the bash.spec file and then examined the bash binary and it was ineed 3.0.17 after the patches. So I manually copied it to /bin/bash and now the env bug test properly fails.
Corrections and suggestions welcome:
(I know it is strongly cautioned not to work with rpmbuild as root but I could not figure out how to make it work otherwise)
Code: Select all
mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo "%_topdir /root/rpmbuild/" > /root/.rpmmacros
rpm -Uvh http://vault.centos.org/4.9/apt/i386/SRPMS.updates/bash-3.0-27.el4.src.rpm
cd /root/rpmbuild/SOURCES/
wget http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
# edit bash30-017 and change any reference to 3.0.16 to just 3.0
cd /root/rpmbuild/SPECS/
# edit /root/rpmbuild/SPECS/bash.spec
# and add where appropriate
# %patch17 -p0 -b .017
# Patch17: bash30-017
rpmbuild -ba bash.spec
# wait to see if it completes cleanly, may take several minutes
# yum install /root/rpmbuild/RPMS/i386/bash-3.0-27.i386.rpm # will not work, yum thinks it is the same
rpm -Fvh /root/rpmbuild/RPMS/i386/bash-3.0-27.i386.rpm
Re: bash env bug on legacy centos 4.8 system
I did almost the same things.
- Skipped first 2 lines about changing the topdir, so everything was built in the default /usr/src/redhat (also built it as root)
- Did not edit bash30-017
- In spec file also had to uncomment this line
to be able to update the package with rpm -Uvh, also edit this line is spec file (it is line 4):
Now we wait for the new patch to come out and repeat the procedure as it turns out vulnerability was not quite fixed with the first one (CVE-2014-7169) ..
- Skipped first 2 lines about changing the topdir, so everything was built in the default /usr/src/redhat (also built it as root)
- Did not edit bash30-017
- In spec file also had to uncomment this line
Code: Select all
%patch16 -p0 -b .016
Code: Select all
Release: 27%{?dist}.1
Re: bash env bug on legacy centos 4.8 system
Looks like they just announced/shipped the second onepanayotb wrote:Now we wait for the new patch to come out and repeat the procedure as it turns out vulnerability was not quite fixed with the first one (CVE-2014-7169) ..
http://lists.centos.org/pipermail/cento ... 20593.html
But we'll have to diff what they did since I do not see a second patch on gnu/bash yet?
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: bash env bug on legacy centos 4.8 system
So, you are running an obsolete and unsupported system with years of exploits and you are worried about bash?
Re: bash env bug on legacy centos 4.8 system
Just a quick thanks for the tips. I've managed to patch a lone 4.8 box which runs a non-upgradeable app and which was indeed vulnerable.
I'll run the second round of this, once I get to see what the new patch looks like. Meanwhile, if anyone is interested in just grabbing binaries, I have them available on my ftp server .
Cheers
I'll run the second round of this, once I get to see what the new patch looks like. Meanwhile, if anyone is interested in just grabbing binaries, I have them available on my ftp server .
Cheers
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
Re: bash env bug on legacy centos 4.8 system
I just realized that 4.9 is technically the last of 4.x but most people think 4.8LewisR wrote:I'll run the second round of this, once I get to see what the new patch looks like.
Anyway, it looks like they shipped a second patch for bash 3.0 last night but it hasn't made it to gnu.org/bash yet
it will be bash30-018
eventually will be here http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/
as http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-018
If you don't want to wait and trust it from the email list, then it is here http://seclists.org/oss-sec/2014/q3/734
notes to self to append the changes from 017
Code: Select all
1. put bash30-018 into SOURCES
2. edit bash30-018 to remove reference to 3.0.17 to just 3.0
3. go into SPECS
4. edit bash.spec
5. change third line to: Release: 27%{?dist}.2
6. add Patch18: bash30-018
7. add %patch18 -p0 -b .018
8. rpmbuild -ba bash.spec
9. go into RPMS/i386
10. install bash-3.0-27.2.i386.rpm either via rpm -F or edit yum conf to temp disable gpg check
then it is NOT working
Code: Select all
env X='() { (a)=>\' sh -c "echo date"; cat echo
Re: bash env bug on legacy centos 4.8 system
Thanks for this. The patch still has not made it to the official sources, but I'll check into it and will likely download from the list and build. I'll follow-up with a post here._ck_ wrote: I just realized that 4.9 is technically the last of 4.x but most people think 4.8
Anyway, it looks like they shipped a second patch for bash 3.0 last night but it hasn't made it to gnu.org/bash yet
it will be bash30-018
eventually will be here http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/
as http://ftp.gnu.org/pub/gnu/bash/bash-3. ... bash30-018
If you don't want to wait and trust it from the email list, then it is here http://seclists.org/oss-sec/2014/q3/734
I'll probably do a build for x64, as well.
Cheers
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC
-------------------------------------------------------------