How do I fix the Shellshock security vulnerability in debian testing/jessie?

Question

The test command

x='() { :;}; echo vulnerable' bash

shows that my Debian 8 (Jessie) installation is vulnerable, even with the latest updates. Research shows that there's a patch for stable and unstable, but that testing is unpatched.

I figure that the patch will make it to testing in a couple of days, but this actually looks nasty enough to be paranoid about. Is there any way to get the package from unstable and install it without breaking my system? Upgrading to unstable looks like it will cause more problems than it solves.

---

According to Bob, there is a second Shellshock vulnerability, which is fixed in a second patch. The test for it is supposed to be:

 env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("

But I'm not skilled enough in Bash to work out what this means or why it's a problem. At any rate, it does something weird, which is prevented by bash_4.3-9.2_amd64.deb on 64-bit systems, which at time of editing is in stable and unstable but not in Jessie/testing.

To fix this for Jessie, get the latest Bash from unstable and install it with dpkg -i.

Jemenake offers

wget http://ftp.debian.org/debian/pool/main/b/bash/bash_4.3-9.2_$(dpkg --print-architecture).deb

as a command which will get the 4.3-9.2 version for your machine.

And you can follow that with:

sudo dpkg -i bash_4.3-9.2_$(dpkg --print-architecture).deb

to install it.

Should you need further patches from unstable for your Jessie system, this is clearly the way to go (mutatis mutandis).

Answer 1

I've edited this answer for the additional bash fixes that were released on Monday.

For Ubuntu 12.04, I ran an update, but also had to run the install for bash to get rid of the vulnerability.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

That command shows the system is vulnerable, so run the update.

apt-get update && apt-get -y upgrade

Test again.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

Still vulnerable.

apt-get install -y bash

Test again.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Edit: After the additional patches were released, the output has changed.

root@host:/home/ubuntu# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Yay! Fixed. This should work for other versions, but I haven't tested it beyond 12.04.

Also, runamok's reply below works well, so give him an upvote!

Answer 2

An alternative for Debian 6.0 (Squeeze) without fetching packages from Debian 7 (Wheezy):

Use the LTS security repository that has the patch backported.

Add this to /etc/apt/sources.list:

#LTS security
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Then run apt-get update && apt-get install bash.

Via: linuxquestions

Answer 3

Download the package from unstable via this link. You can check the dependencies there as well, although it looks like the unstable bash has the same dependencies as the bash from testing. Install the downloaded deb with the following.

dpkg -i

Answer 4

apt-get update before apt-get dist-upgrade and you will get the patch. Just did it myself and there was a bash upgrade pushed which fixes the problem.

Answer 5

I fixed it on my Hackintosh by:

$ brew install bash

$ x='() { :;}; echo vulnerable' bash
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash-4.3$ 

Answer 6

I've written an article on how to do this with apt-get on old Ubuntu versions. You basically update your sources.list to the newest and then run apt-get update and upgrade bash. You can read it step for step or copypaste it from here.

Summary:

sudo sed -i 's/YOUR_OS_CODENAME/trusty/g' /etc/apt/sources.list
sudo apt-get update
sudo apt-get install --only-upgrade bash

Read the article if you use old-releases.ubuntu.com and don't forget that you might want to change it back:

sudo sed -i 's/trusty/YOUR_OS_CODENAME/g' /etc/apt/sources.list

Answer 7

The fixed version (see changelog) for the Bash package is in Debian 8 (Jessie) now (see package info), as of 2014-09-26 14:18 UTC.

The second fix, mentioned in the comments below, is also in the Jessie repository now. There is no need to install from unstable. See the package information link above.

There is no need to install from unstable any more.

Just run:

# aptitude update

followed by:

# aptitude upgrade

Then verify that the vulnerability is gone (in a newly opened shell):

$ x='() { :;}; echo vulnerable' bash
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'