3

The title says it all.

I am still vulnerable (CVE-2014-6271 and possibly CVE-2014-7169) with Ubuntu 14.04.1 and Bash 4.3-7ubuntu1.4

  • apt-get update = nothing
  • apt-get upgrade = nothing
  • apt-get install bind = nothing

Checked this: https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.4 (there are no newer versions)

Ran test:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

Get:

vulnerable
hello

Been at this for a week now!

[Update]

I originally installed bash_4.3.orig.tar.gz from https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.4 which may have been a mistake.

I did this before doing sudo apt-get update && sudo apt-get install bash would work (I think).

On this page, there are other files, bash_4.3-7ubuntu1.4.debian.tar.gz and bash_4.3-7ubuntu1.4.dsc. I do not know what to do with these. I downloaded bash_4.3-7ubuntu1.4.debian.tar.gz and looked at it, but did not know what to do with it.

I was still vulnerable according to this test: env x='() { :;}; echo vulnerable' bash -c 'echo hello'

I tried as many gyrations of apt-get, dpkg, and installing from bash_4.3.orig.tar.gz as you can imagine. Still fails the test.

I found:

  • /usr/local/bin/bash - GNU bash, version 4.3.0(1)-release (i686-pc-linux-gnu)
  • /bin/bash - GNU bash, version 4.3.11(1)-release (i686-pc-linux-gnu)

This morning, after going around for days, I finally got desperate and threw a Hail Mary and tried the script from: How do I patch the shellshock vulnerability on an obsolete Ubuntu system that I can't upgrade?

Now I have:

  • /bin/bash - GNU bash, version 4.3.27(1)-release (i686-pc-linux-gnu)

Still fails test: env x='() { :;}; echo vulnerable' bash -c 'echo hello' when I log on. So I sudo /bin/bash and tried again. Still fails.

So I tried:

sudo apt-get install --only-upgrade bash

and get...

Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0 B/549 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
dpkg: error processing package bash (--configure):
 package is in a very bad inconsistent state; you should
 reinstall it before attempting configuration
Errors were encountered while processing:
 bash
E: Sub-process /usr/bin/dpkg returned an error code (1)

So I tried:

sudo apt-get install bash

and get...

Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0 B/549 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
dpkg: error processing package bash (--configure):
 package is in a very bad inconsistent state; you should
 reinstall it before attempting configuration
Errors were encountered while processing:
 bash
E: Sub-process /usr/bin/dpkg returned an error code (1)

This does not surprise me of course.

Please help.

Can anyone help me force an update of both /bin/bash and /usr/local/bin/bash with a version that works? Can I use the files found on this page https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.4 or can I clean up the GNU install?? As well, can bash be copied from /bin to /usr/local/bin/ (or the other way around) if I can get just one fixed?

I need strong Linux answers and not just the apt-get parrots seen everywhere please. I have read everything or dang-near everything that I can find. If you have a resource, please let me know. You may have had success, but I have had nothing but trouble.

Going into chat is fine.

Improve this question
16
  • Stop using cgi-bin, use SELinux, use a firewall, use a distribution with professional support.
    – Cyrus
    Commented Sep 28, 2014 at 9:31
  • 4
    @Cyrus Very helpful. I do use a firewall. I do not use CGI-BIN, but I do require CGI for other reasons. Scripts are not required to be vulnerable. In fact, SSH and other services are vulnerable. And no. I will not re-install a whole new OS on a public facing web server just because you feel SELinux is better. I am a professional. I need an reasoned and though-out answer.
    – closetnoc
    Commented Sep 28, 2014 at 9:39
  • Take a look at: en.wikipedia.org/w/index.php?title=SELinux
    – Cyrus
    Commented Sep 28, 2014 at 10:33
  • There are more new bash bugs for you to fix the next days: CVE-2014-7186, CVE-2014-7187 and CVE-2014-6277.
    – Cyrus
    Commented Sep 28, 2014 at 10:48
  • 3
    SELinux is no Linux distribution it is a Linux kernel security module that provides the mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).
    – Cyrus
    Commented Sep 28, 2014 at 11:05

4 Answers 4

Reset to default
2
+100

Debian provides the original upstream source, then the control files and local modifications. The .orig in the filename is saying it's unmodified. The .dsc is just metadata. Inside the .debian.tar.gz file you'll find all of the patches, including the security fixes. The build process takes the original upstream, applies the patches and builds the packages from that. Debian (and Ubuntu) bias strongly against pulling in new versions from upstream, because new versions add new bugs and regressions, not just fixing known issues.

Running sudo apt-get install --reinstall bash should fix the issue -- the output from apt-get is telling you it didn't do an install, and proceeded to try to update configs.

If, and only if, that apt-get fails, then you want to:

  1. Ensure that you have another shell installed, so that a glitch while removing bash does not lock you out of the system; install ksh or zsh and consider temporarily setting a login-shell to one of those, so that you have a way in.
  2. sudo dpkg --remove --force-remove-reinstreq bash
  3. sudo apt-get install bash

Then, you want to start becoming more familiar with the manual-pages system used by Unix; the man command is your friend here. man apt-get and man dpkg would give you a lot of what you need here.

Improve this answer
18
  • Please forgive me. I have been semi-retired from IT for over a decade (I live in the country now [no IT work]) and spent way more time on windows than I wanted when I was working in IT... (not my idea). I am used to bash. Is ksh or zsh similar enough that I should get by okay? Is it identical or nearly so? I am not a strong Linux user, but generally good enough.
    – closetnoc
    Commented Oct 1, 2014 at 1:28
  • Tried to install KSH and ZSH - both failed to install because of inconsistencies in bash install. But I created another user with /usr/local/bin/bash instead of /bin/bash. I used $BASH_VERSION to determine the version but it reported 4.3.27(1)-release. I assume that $BASH_VERSION picks up the /bin/bash version. If I sudo /usr/local/bin/bash --version I get 4.3.0(5)-release. I suspect that my so-called backup log-in user account is safe.
    – closetnoc
    Commented Oct 1, 2014 at 2:02
  • I also tried installing the launchpad bash-4.3 and it appears to install to - /usr/bin/install -c -m 0755 bash /usr/local/bin/bash. That is a clue! How do I change the install location? I would like to install over the GNU copy in /bin. Then I imagine applying the .debian.tar.gz? But I do not know how. BTW- I am just east on the turnpike.
    – closetnoc
    Commented Oct 1, 2014 at 2:16
  • use install(1) at a command prompt to install .usr/local/bin/bash to /bin/bash using a command-line much like the one you quote
    – Phil P
    Commented Oct 1, 2014 at 2:27
  • I am not sure I understand what you are saying. /usr/local/bin/bash is the okay but old version of bash while /bin/bash is the broken one. The install from above is from the make install output. Are you telling me that there is a way to in effect move/copy/install the usr/local/bin/bash over /bin/bash? Confused.
    – closetnoc
    Commented Oct 1, 2014 at 2:34
2

Seems to me that the problem is you accidentally installed a bad version of bash in /usr/local and you already have a better version in /bin. So I can't see why the answer isn't just rm /usr/local/bin/bash

OK, that won't get rid of all the support files that came with it, but it'll make sure that the bad version can't run.

If you still have the directory where you did the make install of the bad version, you can go there and do a make uninstall to clean it all up. If you don't still have it... you can probably untar and build it again (making sure to match the ./configure arguments you used the first time) and run the make uninstall.

make uninstall should work with any GNU program that you still have the original build directory of. It's in the coding standards that all GNU source packages have to follow.

Improve this answer
1

I found that Apt-get install bash worked to get rid of the bug

Improve this answer
1
  • Here is what is going on that prevents apt-get from working. The copy of /bin/bash was updated, but not with the patches. The copy of /usr/local/bin/bash has not been updated at all. Apt-get looks at /bin/bash and says it is up to date and will not install no matter what I do. This is because I used the Launchpad package to install 4.3 from source before the repository was updated. I have tried many things including installing using dpkg and the source again. I am stuck and there is no real help out there for my situation. It can be solved of course, I am just not that linux strong.
    – closetnoc
    Commented Sep 30, 2014 at 15:40
1

Please do not up-vote this answer until the bounty has been paid- if you do.

I want to first give Thanks(!) to those who have helped me and then explain what happened and what not to do and what fixed this issue. So please bare withe me. I am doing this for future users.

Give Thanks: I want to humbly Thank(!) Paul P (here) and Manfred Hampl (m-hampl) from answers.launchpad.net and apologize for being somewhat obtuse. Both helped me to solve this problem. I needed a hero and both stood up to be my hero. I Thank You both with all I have.

In fact, I Thank(!) everyone who chimed in. There was wisdom in all of it. Especially, unkilbeeg, who gave a clue that was invaluable. Of course I cannot forget Cyrus who jumped in right away and was also invaluable.

What Happened: In the fog of things, and with my significant ignorance in all things install/update and so on, I followed pages, opinions, and links and thought I was doing the right thing. In the beginning and at the time, apt-get did not have a package available and so I hovered over launchpad.net because that is where Ubuntu pointed me to.

What I did not realize was what to do with the launchpad.net resource. I installed the base install .gz file expecting an update somewhere. To make a long story short, what I did not realize is that there are .deb files on another page that should have been my focus. If you are trying to update something in Ubuntu using launchpad.net, look for an appropriate .deb file.

Between apt-get and launchpad.net, I ended up with two versions of bash that seriously confused the issue.

Worse yet, there was a proposed GNU fix, that may have been good for some, but broke bash in /bin. Thank God(!) there were two versions. Paul P helped me to fix this with issuing an install command to overwrite the GNU install.

In the end: Both Paul P and Manfred Hampl were on the same track as I bounced between two sites. Unfortunately, I was too obtuse for Paul P and I apologize for that.

What needed to be known was, $PATH was important as unkilbeeg pointed out. The only version of bash that should exist (from my understanding and remember I am obtuse), is the one in /bin and the only install that should be had are the ones you get through apt-get and optionally any deb file from launchpad.net. Both Paul P and Manfred Hampl were pointing out that the /usr/local/bin version of bash should be deleted. So that is what I did. As it turned out, while I thought I was using /usr/bin, because that is what was assigned to my user, I was actually using /local/usr/bin because it was first in my path. Good catch!

Remember this is Ubuntu advice. It may not apply to everyone.

ALWAYS(!) use apt-get first if you can. Secondly, use launchpad.net and look for the right .deb file. Do not do anything else. While GNU resources are valuable, it is best to let Ubuntu create a package for you and simply wait for it. Do not update Ubuntu from other resources unless you really know what you are doing.

Bounty: I wish I could give everyone a part of the bounty or at least divide it between Paul P and Manfred Hampl but that is impossible. I am marking Paul P as the accepted answer and ask him to update his answer for future readers. If he needs information from me, I will gladly give it.

Thanks Again: Again, I Thank(!) everyone who chimed in. Simply chiming in can be far more important than you can ever know. A simple clue can really help someone who is in trouble. The support of a community that cares immense. Thanks Again

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .