[blfs-support] Important: Fix for shellshock bash bug

Jamenson Ferreira Espindula de Almeida Melo jafesp at gmail.com
Fri Sep 26 14:40:05 PDT 2014

Hash: SHA256

Jaboatão dos Guararapes, PE, 26 de setembro de 2014.

Subject: Fix for shellshock bash bug

Below is the output of the command [( time make | tee
bash-4.3-make-log.txt && exit $PIPESTATUS )]:

making lib/tilde/libtilde.a in ./lib/tilde
make[1]: Entering directory '/home/jamenson/bash-4.3/lib/tilde'
gcc -c  -DHAVE_CONFIG_H -DSHELL  -I. -I../.. -I../.. -I../../include
-I../../lib  -g -O2 tilde.c
rm -f libtilde.a
ar cr libtilde.a tilde.o
test -n "ranlib" && ranlib libtilde.a
make[1]: Leaving directory '/home/jamenson/bash-4.3/lib/tilde'
rm -f bash
gcc -L./builtins -L/usr/lib -L/usr/lib -L./lib/glob -L./lib/tilde
-L./lib/sh  -rdynamic  -g -O2 -o bash shell.o eval.o y.tab.o general.o
make_cmd.o print_cmd.o  dispose_cmd.o execute_cmd.o variables.o
copy_cmd.o error.o expr.o flags.o jobs.o subst.o hashcmd.o hashlib.o
mailcheck.o trap.o input.o unwind_prot.o pathexp.o sig.o test.o
version.o alias.o array.o arrayfunc.o assoc.o braces.o bracecomp.o
bashhist.o bashline.o  list.o stringlib.o locale.o findcmd.o redir.o
pcomplete.o pcomplib.o syntax.o xmalloc.o  -lbuiltins -lglob -lsh
-lreadline -lhistory -lcurses -ltilde     -ldl
Makefile:553: recipe for target 'bash' failed

I run the command from inside of the actually _running_ BLFS system.

Do you have any ideas?

Thank you!

Jamenson Ferreira Espindula de Almeida Melo
Linux User # 166197https://linuxcounter.net/cert/166197.png

Key fingerprint:
234D 1914 4224 7C53 BD13  6855 2AE0 25C0 08A8 6180

Version: GnuPG v2.0.26 (GNU/Linux)


2014-09-26 14:45 GMT-03:00 Bruce Dubbs <bruce.dubbs at gmail.com>:

> It is critical that all LFS users update their current version of bash to
> fix the shellshock bug.  [1][2]
> All users should update their current version of bash according to the
> instructions at:
> http://www.linuxfromscratch.org/lfs/view/development/chapter06/bash.html
> Note 1: The suffix in bash-4.3-upstream_fixes-4.patch has changed.
> Note 2: Older installations of bash versions before 4.3 may also need to
> also install readline-6.3.
> -----
> To see if your current system is vulnerable to CVE-2014-6271, run:
> $ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
> A vulnerable system will display the word 'vulnerable'.
> To see if your current system is subject to CVE-2014-7169, run:
> $ X='() { (a)=>\' bash -c "echo date"
> A vulnerable system with only the fix for CVE-2014-6271 will display lines
> similar to:
> bash: X: line 1: syntax error near unexpected token `='
> bash: X: line 1: `'
> bash: error importing function definition for `X'
> [root@ ec2-user]# cat echo
> Fri Sep 26 01:37:16 UTC 2014
> A fixed system will only display the word 'date'.
> The patch bash-4.3-upstream_fixes-4.patch fixes both CVE-2014-6271 and
> CVE-2014-7169.
>   -- Bruce Dubbs
>      linuxfromscratch.org
> [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
> [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
> --
> http://lists.linuxfromscratch.org/listinfo/blfs-support
> FAQ: http://www.linuxfromscratch.org/blfs/faq.html
> Unsubscribe: See the above information page
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfromscratch.org/pipermail/blfs-support/attachments/20140926/b8715807/attachment.html>

More information about the blfs-support mailing list