1

The bash shell in my production box is vulnerable to 'bashbug' vulnerability. https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

The version installed is 

`$ bash --version
 GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)`

I am not able to use YUM to install the latest package because our server is not connected to Internet , SO I am trying to install bash using source code. I downloaded bash 4.3 and installed it from source code.Since this version is still vulnerable to bash bug , I need to apply the latest patch for this version.

For this I downloaded the latest patch for bash from the following site.

http://ftp.gnu.org/gnu/bash/bash-4.3-patches/

I am applying bash43-030 patch from the above link.

http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-030

Issue I am facing is that apply of patch is failing with the following error

[bash-4.3]$ patch -p0 < bash-patch patching file builtins/evalstring.c Hunk #1 FAILED at 309. Hunk #2 FAILED at 379. 2 out of 2 hunks FAILED -- saving rejects to file builtins/evalstring.c.rej patching file parse.y Hunk #1 succeeded at 2574 (offset 35 lines). Hunk #2 FAILED at 4038. 1 out of 2 hunks FAILED -- saving rejects to file parse.y.rej patching file shell.h Hunk #1 succeeded at 181 with fuzz 2. patching file y.tab.c Hunk #1 FAILED at 169. Hunk #2 FAILED at 498. Hunk #3 FAILED at 2099. Hunk #4 FAILED at 2113. ... ... Hunk #98 FAILED at 6350. 97 out of 98 hunks FAILED -- saving rejects to file y.tab.c.rej patching file patchlevel.h Hunk #1 FAILED at 26. 1 out of 1 hunk FAILED -- saving rejects to file patchlevel.h.rej

Please suggest how to resolve the issue . May be approach of applying the patch is wrong .

Improve this question
5
  • What is your OS? Red Hat? Centos? Fedora? Did you try downloading a patch RPM and installing it? It is straight-forward and should be simple process. Could you paste the output of rpm -qa | grep bash ? Commented Oct 13, 2014 at 7:06
  • Centos 5.5 . Could not locate a patch RPM , that's why trying to apply patch from source Commented Oct 13, 2014 at 7:34
  • Since you are able to download things, why not simply download the latest RPM for bash and install that? Commented Oct 13, 2014 at 7:44
  • Sorry for any confusion . Download is from a desktop machine running windows . The production server is not connected to Internet Commented Oct 13, 2014 at 7:46
  • In case you have a Red Hat account, you can download the patched RPM for RHEL 5 and should be fine. In case you don't, you may find some help here centos.org/forums/viewforum.php?f=4 Commented Oct 13, 2014 at 7:49

1 Answer 1

Reset to default
2

Bash patches are cumulative, the source for 4.3 is effectively 4.3.0, the patches are separate, and all of them should be applied in order, each one will bump you up a patch level. Rarely, a complete source release is made available from the official site, the last one was 3.2.48.

What you are observing is that the required patch (the "-030" suffix indicates a .30 patchlevel) is expecting the earlier patches. (This will always be detected with bash patches, since each one patches patchlevel.h any omission will result in a patch error). You can find my instructions for building from source here: https://unix.stackexchange.com/a/157714/31352

Building from source is straightforward, but not to be undertaken lightly. Once you patch your bash you're on your own with regards to vendor support, and may complicate further administrative tasks (such as patches and upgrades).

You are probably better off downloading the Red Hat RPM, transferring that to the server (or if you really want to build it from source, the SRPM instead). bash has minimal dependencies (notably termcap), you should just need a single package assuming none of them been modified.

In any case, you probably should stick with bash-4.1, there are a number of changes which may impact scripts, see the COMPAT file in the source distribution for details. All released versions from 2.05b to 4.3 have patches for "shellshock" (CVE-2014-6271) and related issues.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.