Fix Endian Shellshock Community Edition

 

 

http://www.efwsupport.com/index.php/topic,4164.30.html

 

 

 

What are we running?:
—————————–
# bash –version
GNU bash, version 3.00.14(1)-release (i686-redhat-linux-gnu)

Funky install
—————-
# smart install http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.2.el4.i386.rpm
# rpm -Uhv bash-3.0-27.0.2.el4.i386.rpm

Did we upgrade it? (Yes)
——————————-
# bash –version
GNU bash, version 3.00.15(1)-release (i686-redhat-linux-gnu)

Does it pass the test? (Yes. It’s fixed)
————————————————
#env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
hello

Notes:
——–
1. The “smart install” fails because there is no DSA key stored in EFW for the Oracle repository …but it fetched the RPM

2. The “rpm -U” cannot fetch the file from Oracle (you get an “import read failed(-1).”)

3. “rpm -U” will however install from the local copy retrieved from the “smart install”

4. bash 3.0 aligns with RedHat Version 4. (3.2 is RH5, 4.1 is RH6, 4.2 is RH7) 
   https://access.redhat.com/articles/1200223
   …but that RH4 is no longer supported by RH so that’s why we have to get it from Oracle.

5. The downloaded bash is for “Red Hat Enterprise Linux 4” (EL4) but it should be the same for all RH4 variants (??).

6. Review the source at https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm

7. This was tested on 2.2.rc3  &  3.0.0-devel – your experience may vary

Leave a Reply