Fedora 17 Shellshock fix (until official F17 bugfix RPM is released)

Updated Sep 29 to include most recent patches.

Why cannot I release my (fixed) ready to use rpm package? Because how would you know I am not taking advantage of the panic and post compromised one? Use only official resources!

I assume you have newest available bash-4.2.39-3.fc17.i386 installed and fix for Fedora 17 is still not released by the Fedora team

rpm -q bash

to check

0. Check if you are vulnerable

foo='() { echo not patched; }' bash -c foo

(you are)


not patched

1. Download bash source rpm and install it
(you will need to use admin/root account from now on)

yumdownloader --source bash
rpm -i bash-4.2.39-3.fc17.src.rpm

2. go to the sources and download the Shellshock patches

cd /root/rpmbuild/SOURCES/
wget http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-048
wget http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-049
wget http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-050

3. hand edit the patches

vim bash42-048

(yes – use your favorite editor : )

and change line saying (on the bottom of the file)

#define PATCHLEVEL 47

to

#define PATCHLEVEL 39

This is because you are patching version 39 not 47, but we ignore patches 40..47 for time being.

4. install required thirdparty packages
on my machine these were: texinfo bison ncurses-devel autoconf

yum install texinfo bison ncurses-devel autoconf

Your mileage my vary (I had most of development environment in place already so you may need more, like gcc)

5. Edit spec file that describes build process
We need to let it know it needs to pick up new patch

cd /root/rpmbuild/SPECS
vim bash.spec

below the line

Patch039: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-039

add

Patch048: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
Patch049: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-049
Patch050: ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-050

and below the line

%patch039 -p0 -b .039

add

%patch048 -p0 -b .048
%patch049 -p0 -b .049
%patch050 -p0 -b .050

6. Rebuild a bash package

rpmbuild -bb bash.spec

resolve any missing dependencies (go back to #5 if needed)
when done wait unitl rpmbuild says


Wrote: /root/rpmbuild/RPMS/i386/bash-4.2.39-3.fc17.i386.rpm

This is what you need!

7. Install new package

rpm -Uhv /root/rpmbuild/RPMS/i386/bash-4.2.39-3.fc17.i386.rpm --force

You will need –force since you update bash-4.2.39-3 with (your own) bash-4.2.39-3

8. Now check if you are still vulnerable

foo='() { echo not patched; }' bash -c foo

If it says:


bash: foo: command not found

You are done!

PS. This shell work for Fedora 18 as well, just you will use bash-4.2.45-1.fc18 instead, and insert PATCHLEVEL 45 instead of 39 in #3 of instruction. Using the same schema I have also patched ancient Fedora 11.

This entry was posted in Linux and tagged , , , , , , , , , , , . Bookmark the permalink.

2 Responses to Fedora 17 Shellshock fix (until official F17 bugfix RPM is released)

  1. Richard Salt says:

    Many thanks for the excellent walk-through Jan. Very clear & concise. I manage quite a large number of Fedora 17 VM’s so this has saved my life!

    My only difference is that I use 64 bit Fedora, so I ended up with an rpm here:
    /root/rpmbuild/RPMS/x86_64/bash-4.2.39-3.fc17.x86_64.rpm

    If it helps anyone else, I setup a dev machine to create the rpm like this:
    yum groupinstall “Development Tools” “Development Libraries”
    yum install yum-utils

  2. Vincent Tam says:

    Thanks for your post! I’ve fixed it.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>