Patch old Fedora 8 server for Shellshock Bash bug

by Thomas Beutel

I had an old Fedora 8 server running legacy code that I needed to patch for the Shellshock Bash bug. I proved that bash was vunerable by running this command:

env X="() { :; } ; echo busted" /bin/bash -c "echo stuff"

I saw the word “busted” in the output, meaning I needed to upgrade bash.

While newer systems have a patch available, I was not able to find one for Fedora 8, so I patched it manually by building a patched version of bash 4.2. Here is what I did:

yum install bison # in case yacc is not installed

cd /usr/src

curl -O http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz
tar xvfz bash-4.2.tar.gz
cd bash-4.2

for i in $(seq -f "%03g" 0 48); do curl https://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-$i | patch -p0; done

./configure --prefix=/usr \
--bindir=/bin \
--htmldir=/usr/share/doc/bash-4.2 \
--without-bash-malloc \
--with-installed-readline

make && make install

Once this was done, I ran the following command again:

env X="() { :; } ; echo busted" /bin/bash -c "echo stuff"

The output now reports an error, showing that bash is patched.

/bin/bash: warning: X: ignoring function definition attempt
/bin/bash: error importing function definition for `X'

Your mileage may vary. As with all updates of this sort, be sure you have a backup plan in case something goes awry.