CVE-2014-6271 “Shell Shock”: Compiling Bash for older Linux systems (Debian 4, Debian 6, RHEL 4 etc)

Hello,

Since this “new” (22-year-old) bug was found in Bash our company has worked hard since yesterday afternoon until now.
We have some very old systems running on RedHat Enterprise Linux 4 (RHEL 4) and some older Debian machines running for example Debian 4 etch and so on.

Here is some quick notes to help you out.

RHEL 4/CentOS 4
Firstly, you need Yum to install GCC (if you don’t have it already). We have found that this one usually works fine (after fixing some dependency packages).
http://pkgs.repoforge.org/yum/yum-2.4.2-0.4.el4.rf.noarch.rpm

The dependencies that was used to fix this issue is.
python-urlgrabber-2.9.7-1.2.el4.rf.noarch.rpm
python-sqlite-1.1.7-0.1.2.2.el4.i386.rpm
python-elementtree-1.2.6-7.el4.rf.i386.rpm

Note that this is for i386!
I will include a list below of all the mirrors where I found these, so that you can grab for other architectures.
yum mirror
python-sqlite mirror
python-urlgrabber mirror
python-elementtree mirror

I have made a mirror of all above RPM’s.
Here: yum.tar.gz

/etc/yum.conf for RHEL 4/CentOS 4.

[base]
name=CentOS-$releasever - Base
baseurl=http://vault.centos.org/4.0/os/$basearch/
gpgcheck=1
gpgkey=http://vault.centos.org/RPM-GPG-KEY-centos4
protect=1
priority=1

#released updates
[update]
name=CentOS-$releasever - Updates
baseurl=http://vault.centos.org/4.0/updates/$basearch/
gpgcheck=1
gpgkey=http://vault.centos.org/RPM-GPG-KEY-centos4
protect=1
priority=1

#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
baseurl=http://vault.centos.org/4.0/addons/$basearch/
gpgcheck=1
gpgkey=http://vault.centos.org/RPM-GPG-KEY-centos4
protect=1
priority=1

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=http://vault.centos.org/4.0/extras/$basearch/
gpgcheck=1
gpgkey=http://vault.centos.org/RPM-GPG-KEY-centos4
protect=1
priority=1

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
baseurl=http://vault.centos.org/4.0/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://vault.centos.org/RPM-GPG-KEY-centos4
protect=1
priority=2

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
baseurl=http://vault.centos.org/4.0/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://vault.centos.org/RPM-GPG-KEY-centos4
protect=1
priority=2

Then you can download and compile Bash, as below.

mkdir -p /usr/src/bash
cd /usr/src/bash
wget ftp://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
gunzip bash-4.3.tar.gz
tar xvf bash-4.3.tar
cd bash-4.3
wget ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025
patch -p0 -i bash43-025
sed -i "s/\#define PATCHLEVEL 0/\#define PATCHLEVEL 25/g" patchlevel.h
./configure --prefix=/usr --bindir=/bin --docdir=/usr/share/doc/bash-4.3 --without-bash-malloc --with-installed-readline
make
make install

You can then verify it by running the new Bash binary and confirming that it’s fixed.

bash
bash --version
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The last row will say “vulnerable” if you are vulnerable, else it will tell you some warnings.

Debian 4 and older/newer
See the compilation like above.

Debian 6 Squeeze
Easiest way is to add the LTS repository that is still maintained.
I.e changing in your /etc/apt/sources.list from

deb http://ftp.sunet.se/pub/Linux/distributions/debian/ squeeze main contrib non-free

to

deb http://ftp.sunet.se/pub/Linux/distributions/debian/ squeeze-lts main contrib non-free

and then updating by using apt.
(apt-get update; apt-get upgrade)

I will keep this post updated as I go along.
/Trigger

Keywords: CVE-2014-6271, Shell Shock, #bashbug, bash exploit, debian 4 etch, debian 6 squeeze, rhel 4, centos 4

0 Comments

Leave a Reply

Your email address will not be published.