Okay this sort of works:
=================
What are we running?:
-----------------------------
# bash --version
GNU bash, version 3.00.14(1)-release (i686-redhat-linux-gnu)
Funky install
----------------
# smart install
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.2.el4.i386.rpm# rpm -Uhv bash-3.0-27.0.2.el4.i386.rpm
Did we upgrade it? (Yes)
-------------------------------
# bash --version
GNU bash, version 3.00.15(1)-release (i686-redhat-linux-gnu)
Does it pass the test? (Yes. It's fixed)
------------------------------------------------
#env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
Notes:
--------
1. The "smart install" fails because there is no DSA key stored in EFW for the Oracle repository ...but it fetched the RPM
2. The "rpm -U" cannot fetch the file from Oracle (you get an "import read failed(-1).")
3. "rpm -U" will however install from the local copy retrieved from the "smart install"
4. bash 3.0 aligns with RedHat Version 4. (3.2 is RH5, 4.1 is RH6, 4.2 is RH7)
https://access.redhat.com/articles/1200223 ...but that RH4 is no longer supported by RH so that's why we have to get it from Oracle.
5. The downloaded bash is for "Red Hat Enterprise Linux 4" (EL4) but it should be the same for all RH4 variants (??).
6. Review the source at
https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm7. This was tested on 2.2.rc3 only - your experience may vary
...so I volunteered...now you can bitch at me...someone please check my work before it corrupts all of your EFWen.
I saw that Oracle patch, but I don't like to add rpm's from vanilla redhat. To fetch things you can also use
curl -O <URL>The thing is sometimes endian uses strange paths for many files, they tweaked many rpm sources to point to different paths.
But if you don't see anything wrong it's ok. Good work finding it, now we have bash-3.0-deanstyles version.
Just an added thing. Shellshock bug it's more than this line, there are at least 4 tests you must pass (see
http://en.wikipedia.org/wiki/Shellshock_(software_bug) ):
CVE-2014-6271 Test 1:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test" Expected result: Do not see vulnerable on screen.
CVE-2014-7169 Test 2:
env X='() { (a)=>\' sh -c "echo date"; cat echo Expected result: Do not see the current date on screen. No such file or directory.
CVE-2014-7186 Test 3:
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||echo "CVE-2014-7186 vulnerable, redir_stack"
Expected result: empty output.
CVE-2014-7187 Test 4:
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno" Expected result:
If bash fails on one of them, you are still vulnerable to Shellshock
There is also an script around there to bashcheck:
https://github.com/hannob/bashcheck/blob/master/bashcheckI'm rebuilding the RPM's for bash, using the original Endian bash package, just adding the patches.
I'm on Endian 2.4.0, and it succesfully passed the 4 tests. Once I finished packaging and reviewing, I'll rebuild it on 2.5.2 and 3.0.0, probably is the very same package on all 3.
I attached a screen of the actual result on my compiled bash:
http://imgur.com/S9xp2OHNow that I saw your Oracle SRC package, I'll try to add another patches that I saw on your package but I didn't see on endian's bash. Maybe they are other patches not related to Shellshock but useful.
Regards.
Author