How do I build bash to patch against shellshock and test it before installing it at the root of my system?

Question

What seems to be wrong with my code below? I'm downloading and patching up to patch 18 which I understand is the patch for shellchock vulnerability. But I still get the vulnerability when running Bash.

Download source and patches

wget http://ftp.gnu.org/gnu/bash/bash-3.1.tar.gz
wget http://ftp.gnu.org/gnu/bash/bash-3.1-patches/bash31-00{1..9} http://ftp.gnu.org/gnu/bash/bash-3.1-patches/bash31-0{10..18}

Unpack and apply patches

tar -xvf bash-3.1.tar.gz
cd bash-3.1
find ../bash31-??? -exec /bin/sh -c 'patch -p0 <{}' \;

(Asside: the find command above just happens to return a sorted list because of shell globbing, but I know this is not always true for the find find)

Config, Make, Make Install

./configure --prefix /tmp/bash_patched && make && make install

Run bash

/tmp/bash_patched/bin/bash

The following should return /tmp/bash_patched/bin/bash 3.1.18(1)-release

echo $BASH $BASH_VERSION

Do the shellshock test

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

For me this returns

busted
stuff

Answer 1

The issue is in the test /bin/sh remains vulnerable on the system until installing at the root. A better test would be env X="() { :;} ; echo busted" /tmp/bash_patched/bin/bash -c "echo stuff"

Answer 2

The shellshock patches are actualy 19 and 20. The wget is not downloading those. Haven't tested it yet but changing the second command to

wget http://ftp.gnu.org/gnu/bash/bash-3.1-patches/bash31-00{1..9} http://ftp.gnu.org/gnu/bash/bash-3.1-patches/bash31-0{10..19} http://ftp.gnu.org/gnu/bash/bash-3.1-patches/bash31-020

should make it work

Answer 3

Did you try looking at the script described in Super User question 816787? It worked like a champ for my Ubuntu machines, about 15 min per server including VMware snapshots, with no reboot required.