Bash Bug

yurirohr · October 2, 2014, 12:55am

Hello Everyone,

I was suffering to found a way to update that bug in our servers, so reading a lot of topics and mainly the folling instructions by https://shellshocker.net/ a made a script to automate this task:

Make a script file with:

#!/bin/bash

Script By Yuri Paulo CWB-Brasil

Upgrade Repositories and Install Make more GCC

zypper ref

zypper -n in make

zypper -n in gcc-c++

zypper -n in patch

Download Bash 4.3 and your Patch’s

cd ~/
mkdir /util/bash
cd /util/bash

wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz --no-check-certificate

#download all patches
for i in $(seq -f “%03g” 1 27); do wget https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i --no-check-certificate; done
tar zxvf bash-4.3.tar.gz

cd bash-4.3/

for i in $(seq -f “%03g” 1 27);do patch -p0 < …/bash43-$i; done
./configure && make && make install

exit

End of Script

I did tests in OpenSuse 11.4, 11.3, 11.2, 11.0 and 12.1 without problems.

I hope help someone with the same problems.

jetchisel · October 2, 2014, 1:39am

yurirohr:

Hello Everyone,

I was suffering to found a way to update that bug in our servers, so reading a lot of topics and mainly the folling instructions by https://shellshocker.net/ a made a script to automate this task:

Make a script file with:

#!/bin/bash

Script By Yuri Paulo CWB-Brasil

Upgrade Repositories and Install Make more GCC

zypper ref

zypper -n in make

zypper -n in gcc-c++

zypper -n in patch

Download Bash 4.3 and your Patch’s

cd ~/
mkdir /util/bash
cd /util/bash

wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz --no-check-certificate

#download all patches
for i in $(seq -f “%03g” 1 27); do wget https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i --no-check-certificate; done
tar zxvf bash-4.3.tar.gz

cd bash-4.3/

for i in $(seq -f “%03g” 1 27);do patch -p0 < …/bash43-$i; done
./configure && make && make install

exit

End of Script

I did tests in OpenSuse 11.4, 11.3, 11.2, 11.0 and 12.1 without problems.

I hope help someone with the same problems.

https://forums.opensuse.org/showthread.php/501161-Vulnerability-in-bash

Also why do you install via zypper one at a time? zypper accepts more than one packages (separated by white space)

zypper in foo bar baz more

That said you need the devel_basis pattern for compiling things as a minimum requirement.

zypper in -t pattern devel_basis

Last but not the least, the packages are updated on the repos with the patch being applied ;).
Also bash 4.3 is not even the default version in “13.2 beta” so i wonder which server are you talking about.

jetchisel · October 2, 2014, 1:50am

Note that in your script you use -n, which is not a valid option to zypper.

malcolmlewis · October 2, 2014, 2:18am

On Wed 01 Oct 2014 11:56:01 PM CDT, jetchisel wrote:

Note that in your script you use -n, which is not a valid option to
zypper.

Hi
Ummm yes it is, -n is non-interactive coupled with in(stall), use it all
the time here…

–
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-21-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

jetchisel · October 2, 2014, 2:29am

Right, my bad sorry for the noise but if you do

zypper -n foo bar baz more

will fail because as you said “coupled with install works.”

zypper in -n foo bar baz more

I must admit i have never used the -n before, maybe because i want to see which is which that is going to get pulled by the install.

jetchisel · October 2, 2014, 2:48am

jetchisel:

Right, my bad sorry for the noise but if you do
zypper -n foo bar baz more
will fail because as you said “coupled with install works.”
zypper in -n foo bar baz more
I must admit i have never used the -n before, maybe because i want to see which is which that is going to get pulled by the install.

zypper -n in foo baz bar more

is the correct syntax though.

yurirohr · October 2, 2014, 4:22pm

jetchisel:

https://forums.opensuse.org/showthread.php/501161-Vulnerability-in-bash
Also why do you install via zypper one at a time? zypper accepts more than one packages (separated by white space)
zypper in foo bar baz more
That said you need the devel_basis pattern for compiling things as a minimum requirement.
zypper in -t pattern devel_basis
Last but not the least, the packages are updated on the repos with the patch being applied ;).
Also bash 4.3 is not even the default version in “13.2 beta” so i wonder which server are you talking about.

**jetchisel, **Is there something that doesnt work in my script? I tested in all of my server and it works. I dont need install pattern devel_basis in any server.

If you have some way that is more easy tell us.

Sorry by my English.

jetchisel · October 2, 2014, 4:54pm

If it works for you then nothing is wrong i suppose. Enjoy your compiled 4.3 without the suse patches/configuration