patched-bash-4.3 for CVE-2014-6271
This is just bash 4.3 , pulled from the gnu website, and patched with the patches available on 9/26/2014, including the pkgsrc functionality changes that just disable the silly "execute functions in env variables" altogether.
The patches are also included here, but I've already applied them to the sourcecode (for those unfamiliar with the patch
command)
Don't use this, if you don't know and trust me. Build it yourself.
I'm putting this on github so I can point friends and co-workers here.
- clone this repo
git clone https://github.com/ryancnelson/patched-bash-4.3
cd bash-4.3
make clean ; ./configure ; make ; make install
- look at
/usr/local/bin/bash --version
GNU bash, version 4.3.25(1)-release (i386-pc-solaris2.11)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
-
mount this file, using the lofs mount trick , ON TOP of /usr/bin/bash :
- you may need to reboot to kill off any currently running bash shells
- after reboot, log back in, and run
exec /bin/sh
to confirm you're not using bash at the moment. ps -ef | grep bash
should return nothing.- then, mount /usr/local/bin/bash over /usr/bin/bash with:
mount -O -F lofs /usr/local/bin/bash /usr/bin/bash
- this lofs mount is not permanent. re-do after reboots, or wait for a patched platform image.
-
confirm that
/usr/bin/bash --version
returns the new 4.3 version you expect after thelofs mount
command
If you're interested, in SmartOS, in watching your system to see when bash
is executed, you can, using DTrace:
run this at your command line:
dtrace -n 'proc:::exec-success /basename(execname)=="bash"/ {printf("%d executed %s\n", ppid, execname);}'
... then, log in again, or spawn some bash shells. You should see lines like:
CPU ID FUNCTION:NAME
1 11422 exec_common:exec-success 91178 executed bash
... this'll let you know whether your application(s) are forking bash under the covers, unbeknownst to you, as part of their normal operations, and whether you're exposed to external intruders being able to spawn bash and exploit it, remotely.