LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-26-2014, 12:36 PM   #1
Diggy
Member
 
Registered: Jan 2009
Posts: 47

Rep: Reputation: 17
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - legacy system patch help


All,

I have a legacy system running conary that I can't easily replace. Now that rPath is gone, the repositories are stale. I've tested the installed version of bash, and it's vulnerable. There is a patch available for the version that's running. My questions:

1) Can I patch an installed version, or must I patch the source, then install from source (hope it's the former!)?;

2) What is the specific command to apply the patch? I assume I have to aim the patch at something.

Any help would be greatly appreciated.

Thanks.

Diggy
 
Old 09-26-2014, 12:51 PM   #2
coralfang
Member
 
Registered: Nov 2010
Location: Bristol, UK
Distribution: Slackware, FreeBSD
Posts: 770
Blog Entries: 3

Rep: Reputation: 255Reputation: 255Reputation: 255
You have to apply the patch to source code.

For patching, you can usually just apply it like this:
Code:
# patch -Np1 < this-file-is-a-patch.patch
The steps typically follow this in most cases;
Code:
# tar -xvf bash-4.3.tar.gz
# mv this-file-is-a-patch.patch bash-4.3/ && cd bash-4.3/
# patch -Np1 < this-file-is-a-patch.patch
# make && make install

Last edited by coralfang; 09-26-2014 at 12:53 PM.
 
Old 09-26-2014, 01:02 PM   #3
Diggy
Member
 
Registered: Jan 2009
Posts: 47

Original Poster
Rep: Reputation: 17
Thank you, coralfang.
 
Old 09-26-2014, 01:06 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
Quote:
Originally Posted by Diggy View Post
I have a legacy system running conary that I can't easily replace. Now that rPath is gone, the repositories are stale.
I'm sorry to inform you that SAS took over rPath two years ago. If the fact this system wasn't migrated also implies it has been vulnerable for everything that occurred the past two years then you've got bigger problems on your hands than just patching. Just saying.


Quote:
Originally Posted by Diggy View Post
Can I patch an installed version, or must I patch the source, then install from source (hope it's the former!)?;
If you can't create conary packages yourself then indeed it's the latter.


//Ah, I see this was answered already, bit late, but I'll keep it in.
Quote:
Originally Posted by Diggy View Post
What is the specific command to apply the patch?
- Enter an unprivileged user account,
- Download the source of your Bash version, unpack it and cd into the directory,
- Download the most recent patch for your Bash version from https://ftp.gnu.org/pub/gnu/bash/bash-*-patches/,
- Verify its signature,
- Then run 'cat bash43-001 | patch -p0', followed by the usual './configure; make install',
- Test.

Last edited by unSpawn; 09-26-2014 at 01:07 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available LXer Syndicated Linux News 1 09-26-2014 01:43 PM
LXer: Flaw CVE-2014-6271 discovered in the Bash shell — update your Fedora systems LXer Syndicated Linux News 0 09-25-2014 04:41 AM
[SOLVED] CVE-2014-0224 vulnerability joraymasalvan Linux - Newbie 3 06-18-2014 08:26 PM
CVE-2014-0160: Heartbleed Bug: OpenSSL Vulnerability tronayne Linux - Security 66 04-21-2014 03:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration