3

The title says it all.

I am still vulnerable (CVE-2014-6271 and possibly CVE-2014-7169) with Ubuntu 14.04.1 and Bash 4.3-7ubuntu1.4

  • apt-get update = nothing
  • apt-get upgrade = nothing
  • apt-get install bind = nothing

Checked this: https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.4 (there are no newer versions)

Ran test:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

Get:

vulnerable
hello

Been at this for a week now!

[Update]

I originally installed bash_4.3.orig.tar.gz from https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.4 which may have been a mistake.

I did this before doing sudo apt-get update && sudo apt-get install bash would work (I think).

On this page, there are other files, bash_4.3-7ubuntu1.4.debian.tar.gz and bash_4.3-7ubuntu1.4.dsc. I do not know what to do with these. I downloaded bash_4.3-7ubuntu1.4.debian.tar.gz and looked at it, but did not know what to do with it.

I was still vulnerable according to this test: env x='() { :;}; echo vulnerable' bash -c 'echo hello'

I tried as many gyrations of apt-get, dpkg, and installing from bash_4.3.orig.tar.gz as you can imagine. Still fails the test.

I found:

  • /usr/local/bin/bash - GNU bash, version 4.3.0(1)-release (i686-pc-linux-gnu)
  • /bin/bash - GNU bash, version 4.3.11(1)-release (i686-pc-linux-gnu)

This morning, after going around for days, I finally got desperate and threw a Hail Mary and tried the script from: How do I patch the shellshock vulnerability on an obsolete Ubuntu system that I can't upgrade?

Now I have:

  • /bin/bash - GNU bash, version 4.3.27(1)-release (i686-pc-linux-gnu)

Still fails test: env x='() { :;}; echo vulnerable' bash -c 'echo hello' when I log on. So I sudo /bin/bash and tried again. Still fails.

So I tried:

sudo apt-get install --only-upgrade bash

and get...

Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0 B/549 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
dpkg: error processing package bash (--configure):
 package is in a very bad inconsistent state; you should
 reinstall it before attempting configuration
Errors were encountered while processing:
 bash
E: Sub-process /usr/bin/dpkg returned an error code (1)

So I tried:

sudo apt-get install bash

and get...

Reading package lists... Done
Building dependency tree
Reading state information... Done
bash is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0 B/549 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
dpkg: error processing package bash (--configure):
 package is in a very bad inconsistent state; you should
 reinstall it before attempting configuration
Errors were encountered while processing:
 bash
E: Sub-process /usr/bin/dpkg returned an error code (1)

This does not surprise me of course.

Please help.

Can anyone help me force an update of both /bin/bash and /usr/local/bin/bash with a version that works? Can I use the files found on this page https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.4 or can I clean up the GNU install?? As well, can bash be copied from /bin to /usr/local/bin/ (or the other way around) if I can get just one fixed?

I need strong Linux answers and not just the apt-get parrots seen everywhere please. I have read everything or dang-near everything that I can find. If you have a resource, please let me know. You may have had success, but I have had nothing but trouble.

Going into chat is fine.

Community
  • 1
closetnoc
  • 43
  • 1
  • 11
  • Stop using cgi-bin, use SELinux, use a firewall, use a distribution with professional support. – Cyrus Sep 28 '14 at 09:31
  • 4
    @Cyrus Very helpful. I do use a firewall. I do not use CGI-BIN, but I do require CGI for other reasons. Scripts are not required to be vulnerable. In fact, SSH and other services are vulnerable. And no. I will not re-install a whole new OS on a public facing web server just because you feel SELinux is better. I am a professional. I need an reasoned and though-out answer. – closetnoc Sep 28 '14 at 09:39
  • Take a look at: https://en.wikipedia.org/w/index.php?title=SELinux – Cyrus Sep 28 '14 at 10:33
  • There are more new bash bugs for you to fix the next days: CVE-2014-7186, CVE-2014-7187 and CVE-2014-6277. – Cyrus Sep 28 '14 at 10:48
  • @Cyrus Think of the practicality of what you are recommending. Wiping a working public facing web server with over 1 million web pages on just one site. Not a reasonable recommendation. I do not care if anyone thinks SELinux is better than Ubuntu. It may be. I will not argue that point. I have to get this working. I cannot do that amount of work only to maybe fix a problem that should be fixed already. – closetnoc Sep 28 '14 at 10:51
  • @Cyrus Oh Great!! Just what I needed. Thanks for the update! I will be checking these out. Got to goto bed soon. I have pulled a few all-nighters trying to get this (~&^?&$%#!ing thing) to this point and nothing. Very frustrating- especially when it seemed like everything that could go wrong did plus a few extras. Ubuntu issues were smooth as glass, but some of the other issues- oy vey! Too bad I don't drink. I may have to start!! You know, it would have been *MUCH(!)* easier if it were a desktop instead of a server. Had issues with the CD, and USB. Thank God for FTP and bash. – closetnoc Sep 28 '14 at 11:00
  • 3
    SELinux is no Linux distribution it `is a Linux kernel security module that provides the mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).` – Cyrus Sep 28 '14 at 11:05
  • @Cyrus I will check that out. Thank you. I know that I have HTTP filters in my firewall but for the life of me, I could not find them. In the fog, I focused on making sure that everything was up to date. I want to use the HTTP filters of course. This would solve the problem for now. I will check out your recommendation and I Thank You for it. – closetnoc Sep 28 '14 at 17:15
  • That's pretty odd, I have bash version `4.3-7ubuntu1.4` too and the command above only gives `hello`, unlike the output you described. Do you have another version of `bash` installed somewhere in your `$PATH`? (I should also add, Ubuntu includes a mandatory access control system known as AppArmor. It's not like they didn't have any.) – Yong Jie Wong Sep 28 '14 at 23:07
  • @yjwong Good suggestion about $PATH! I will check out AppArmor. When this server was first built, many of these options did not exist. I study and help design advanced AI background processes for security and oddly, I want people to attack the server- that is to a point. I put a lot of things in the way so that I can use the data I get to study patterns. I wanted to build a new server with some of the new security that will allow me to do more and be safer. But this bash thing is a wee bit too much. I did at least run Apache under a no-privs account. Thanks for the suggestions! – closetnoc Sep 29 '14 at 00:46
  • Did you try manually doing the update described in Super User question 816787? It worked like a champ for my Ubuntu machines, about 15 min per server including VMware snapshots, with no reboot required. Hang in there! – JanFrazini Sep 28 '14 at 15:09
  • @dan I know you on Pro Webmasters of course. Do you know of anyone who can help on this? It has gotten serious. I have spent many all-nighters and I am tired. Would like to turn it back on again. If you know someone, please let me know and possibly turn them on to this question. Thanks in Advance! – closetnoc Sep 30 '14 at 23:19
  • Have you tried `apt-get purge bash` and `apt-get install bash`? –  Oct 01 '14 at 00:44
  • @JeffreyLin No. Is this safe? This is a server and I have no GUI except for virualmin which is sorta limited. – closetnoc Oct 01 '14 at 00:52
  • If you have a 'good' `/bin/bash` and a 'bad' `/usr/local/bin/bash`, but your PATH for that user has `/usr/local/bin/` earlier than `/bin/`, your test will continue to show the vulnerability, even if the main bash file is fixed. – unkilbeeg Oct 01 '14 at 15:45
  • @unkilbeeg Fantastic! Thank you. Good info. After a scare, I got both versions the same but not updated. Apt-get does not work because it sees bash as being up to date. Using a --reinstall does not install bash with the patches. I know how to make both versions of bash match. But I do not know what to do with bash_4.3-7ubuntu1.4.debian.tar.gz which appears to be what I need next. There is no configure script and no README with something I can grab a hold of. That is all I need now- to know how to install the contents of the gz. Then I am done! – closetnoc Oct 01 '14 at 15:55

4 Answers4

2

Debian provides the original upstream source, then the control files and local modifications. The .orig in the filename is saying it's unmodified. The .dsc is just metadata. Inside the .debian.tar.gz file you'll find all of the patches, including the security fixes. The build process takes the original upstream, applies the patches and builds the packages from that. Debian (and Ubuntu) bias strongly against pulling in new versions from upstream, because new versions add new bugs and regressions, not just fixing known issues.

Running sudo apt-get install --reinstall bash should fix the issue -- the output from apt-get is telling you it didn't do an install, and proceeded to try to update configs.

If, and only if, that apt-get fails, then you want to:

  1. Ensure that you have another shell installed, so that a glitch while removing bash does not lock you out of the system; install ksh or zsh and consider temporarily setting a login-shell to one of those, so that you have a way in.
  2. sudo dpkg --remove --force-remove-reinstreq bash
  3. sudo apt-get install bash

Then, you want to start becoming more familiar with the manual-pages system used by Unix; the man command is your friend here. man apt-get and man dpkg would give you a lot of what you need here.

Phil P
  • 1,991
  • 10
  • 8
  • Please forgive me. I have been semi-retired from IT for over a decade (I live in the country now [no IT work]) and spent way more time on windows than I wanted when I was working in IT... (not my idea). I am used to bash. Is ksh or zsh similar enough that I should get by okay? Is it identical or nearly so? I am not a strong Linux user, but generally good enough. – closetnoc Oct 01 '14 at 01:28
  • Tried to install KSH and ZSH - both failed to install because of inconsistencies in bash install. But I created another user with /usr/local/bin/bash instead of /bin/bash. I used $BASH_VERSION to determine the version but it reported 4.3.27(1)-release. I assume that $BASH_VERSION picks up the /bin/bash version. If I sudo /usr/local/bin/bash --version I get 4.3.0(5)-release. I suspect that my so-called backup log-in user account is safe. – closetnoc Oct 01 '14 at 02:02
  • I also tried installing the launchpad bash-4.3 and it appears to install to - */usr/bin/install -c -m 0755 bash /usr/local/bin/bash*. That is a clue! How do I change the install location? I would like to install over the GNU copy in /bin. Then I imagine applying the .debian.tar.gz? But I do not know how. BTW- I am just east on the turnpike. – closetnoc Oct 01 '14 at 02:16
  • use install(1) at a command prompt to install .usr/local/bin/bash to /bin/bash using a command-line much like the one you quote – Phil P Oct 01 '14 at 02:27
  • I am not sure I understand what you are saying. /usr/local/bin/bash is the okay but old version of bash while /bin/bash is the broken one. The *install* from above is from the **make install** output. Are you telling me that there is a way to in effect move/copy/install the usr/local/bin/bash over /bin/bash? Confused. – closetnoc Oct 01 '14 at 02:34
  • yes; run `man install` for instructions (sorry, on phone at big company event, please excuse brevity) – Phil P Oct 01 '14 at 03:08
  • I know it is getting late. I am usually up quite late. If you have time after the company event- please let me know. Sorry for being a pain. – closetnoc Oct 01 '14 at 03:44
  • Okay! Half way there! I did the install thing to copy the bash into /bin and then did the --reinstall thing and so far not bad. I have version GNU bash, version 4.3.11(1)-release again in /bin. Whew! Not for part 2. The .debian.tar.gz file when extracted does not have a configure file and I poked around forever trying to figure out what to do. But I have no idea. What do I run/do to install the rest?? – closetnoc Oct 01 '14 at 05:14
  • If you try again to install from source (e.g. from https://superuser.com/questions/816787/how-do-i-patch-the-shellshock-vulnerability-on-an-obsolete-ubuntu-system-that-i/816807#816807), the location is controlled from the `--prefix=` term in the `./configure` step. If you do *not* include that term it will install to `/usr/local/bin/`. The `--prefix=/` in the link will install it to `/usr/bin/`. That's still sidestepping the broken apt issue, but it will get you a current bash in both places. – unkilbeeg Oct 01 '14 at 15:32
  • When I said setting the prefix to `/` would put it in `/usr/bin/` I *meant* in `/bin/`. – unkilbeeg Oct 01 '14 at 15:42
  • @unkilbeeg I did not see these comments. They did not show up in the little red comment count/list even after a refresh. This advice in this link is what broke my bash install. If it were not for the older Ubuntu bash in /usr/local/ I would have been toast. https://superuser.com/questions/816787/how-do-i-patch-the-shellshock-vulnerability-on-an-obsolete-ubuntu-system-that-i/816807#816807 It appears that all I need now is to know how to install the contents of bash_4.3-7ubuntu1.4.debian.tar.gz from launchpad and I am done! Apt-get is not updating to the patched version no matter what I do. – closetnoc Oct 01 '14 at 16:02
  • The debian.tar.gz is a bundle of stuff used by the Debian build system,`debuild` and friends, and you really don't want to go there at this stage. Just get your system to where it's clean enough for apt-get to work and return to the safety of working with pre-built packages. The Debian packagers do good work in a timely manner. – Phil P Oct 01 '14 at 17:51
  • I am confused then. Apt-get only gets GNU bash, version 4.3.11(1)-release and updates /bin/bash while bash_4.3.orig.tar.gz installs version GNU bash, version 4.3.0(1)-release in /usr/local/bin/bash. Using launchpad, how do I update the 4.3.0(1)-release which appears that all of the bash files are installed (/usr/local)? – closetnoc Oct 01 '14 at 18:52
  • When you used the `.orig.tar.gz` you installed files into the filesystem outside of package management. As a result, nothing is keeping track of those, not launchpad, not apt, nothing; you have to clean that mess up manually. You just use `rm -v` to delete them. You need `cd /usr/local && rm -v bin/bash bin/bashbug bin/rbash info/bash.info man/man1/bash*` and there will be other doc files around too, but it's less important to remove them. – Phil P Oct 01 '14 at 19:06
  • Let's forget apt-get for now and focus on launchpad. How do I update /usr/local/bin/bash beyond version 4.3.0(1)-release using launchpad (this is where launchpad is installing to)? I have given up on apt-get having gone 'round and 'round and seeing that there are two versions installed in two locations. I want to update the one bash copy where all the bash files are- the launchpad version in /usr/local/bin/bash with version GNU bash, version 4.3.0(1)-release. I see this as my way out. From there I can simply blast the other (/bin/bash) like I did last night. – closetnoc Oct 01 '14 at 19:08
  • I am unable to explain things sufficiently clearly to help you, I'm sorry. I'm out. – Phil P Oct 01 '14 at 19:09
  • I am sorry. I hope that I did not drive you away. If you know how to get apt-get right again, I am up for that. I did not see your comment "When you used the .orig.tar.gz..." This thing is not updating the red counter at the top and unless I refresh often, I will miss something which I did. My apologies. – closetnoc Oct 01 '14 at 19:16
  • Sorry for being obtuse. Thanks again for your help. Your answer and assistance I felt was instrumental. I spent as much as 3.5 hours in chat helping someone who really did not understand a problem and it turned out to be one of the most rewarding sessions. They were clearly extremely gifted, but did not understand the technology well enough yet. They were as appreciative as I feel today. I cannot express it enough. Please, if you can, update your answer for future readers. I wrote an answer that explains things. I will gladly provide details for your answer if you need it. Again Thanks! – closetnoc Oct 01 '14 at 21:18
2

Seems to me that the problem is you accidentally installed a bad version of bash in /usr/local and you already have a better version in /bin. So I can't see why the answer isn't just rm /usr/local/bin/bash

OK, that won't get rid of all the support files that came with it, but it'll make sure that the bad version can't run.

If you still have the directory where you did the make install of the bad version, you can go there and do a make uninstall to clean it all up. If you don't still have it... you can probably untar and build it again (making sure to match the ./configure arguments you used the first time) and run the make uninstall.

make uninstall should work with any GNU program that you still have the original build directory of. It's in the coding standards that all GNU source packages have to follow.

1

I found that Apt-get install bash worked to get rid of the bug

user373746
  • 11
  • 1
  • Here is what is going on that prevents apt-get from working. The copy of /bin/bash was updated, but not with the patches. The copy of /usr/local/bin/bash has not been updated at all. Apt-get looks at /bin/bash and says it is up to date and will not install no matter what I do. This is because I used the Launchpad package to install 4.3 from source before the repository was updated. I have tried many things including installing using dpkg and the source again. I am stuck and there is no real help out there for my situation. It can be solved of course, I am just not that linux strong. – closetnoc Sep 30 '14 at 15:40
1

Please do not up-vote this answer until the bounty has been paid- if you do.

I want to first give Thanks(!) to those who have helped me and then explain what happened and what not to do and what fixed this issue. So please bare withe me. I am doing this for future users.

Give Thanks: I want to humbly Thank(!) Paul P (here) and Manfred Hampl (m-hampl) from answers.launchpad.net and apologize for being somewhat obtuse. Both helped me to solve this problem. I needed a hero and both stood up to be my hero. I Thank You both with all I have.

In fact, I Thank(!) everyone who chimed in. There was wisdom in all of it. Especially, unkilbeeg, who gave a clue that was invaluable. Of course I cannot forget Cyrus who jumped in right away and was also invaluable.

What Happened: In the fog of things, and with my significant ignorance in all things install/update and so on, I followed pages, opinions, and links and thought I was doing the right thing. In the beginning and at the time, apt-get did not have a package available and so I hovered over launchpad.net because that is where Ubuntu pointed me to.

What I did not realize was what to do with the launchpad.net resource. I installed the base install .gz file expecting an update somewhere. To make a long story short, what I did not realize is that there are .deb files on another page that should have been my focus. If you are trying to update something in Ubuntu using launchpad.net, look for an appropriate .deb file.

Between apt-get and launchpad.net, I ended up with two versions of bash that seriously confused the issue.

Worse yet, there was a proposed GNU fix, that may have been good for some, but broke bash in /bin. Thank God(!) there were two versions. Paul P helped me to fix this with issuing an install command to overwrite the GNU install.

In the end: Both Paul P and Manfred Hampl were on the same track as I bounced between two sites. Unfortunately, I was too obtuse for Paul P and I apologize for that.

What needed to be known was, $PATH was important as unkilbeeg pointed out. The only version of bash that should exist (from my understanding and remember I am obtuse), is the one in /bin and the only install that should be had are the ones you get through apt-get and optionally any deb file from launchpad.net. Both Paul P and Manfred Hampl were pointing out that the /usr/local/bin version of bash should be deleted. So that is what I did. As it turned out, while I thought I was using /usr/bin, because that is what was assigned to my user, I was actually using /local/usr/bin because it was first in my path. Good catch!

Remember this is Ubuntu advice. It may not apply to everyone.

ALWAYS(!) use apt-get first if you can. Secondly, use launchpad.net and look for the right .deb file. Do not do anything else. While GNU resources are valuable, it is best to let Ubuntu create a package for you and simply wait for it. Do not update Ubuntu from other resources unless you really know what you are doing.

Bounty: I wish I could give everyone a part of the bounty or at least divide it between Paul P and Manfred Hampl but that is impossible. I am marking Paul P as the accepted answer and ask him to update his answer for future readers. If he needs information from me, I will gladly give it.

Thanks Again: Again, I Thank(!) everyone who chimed in. Simply chiming in can be far more important than you can ever know. A simple clue can really help someone who is in trouble. The support of a community that cares immense. Thanks Again

closetnoc
  • 43
  • 1
  • 11