Building bash from source

Building bash from source (補 Shellshock 漏洞)

前言

一般來說, 使用者只要更新bash 就可解決shellshock漏洞, 但是我的ARM Cubieboard 開發版用的Debian版本一直都沒有出更新, 所以我只好自己手動來補漏洞.

檢查漏洞

首先檢查你的bash 版本

root@cb1:~# bash --version
GNU bash, version 4.2.37(1)-release (arm-unknown-linux-gnueabihf)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

這是4.2.37版

確認是否有ShellSshock 漏洞

root@cb1# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

若出現“vulnerable” 表示有漏洞

編譯Bash

安裝必要套件

apt-get install  gcc make autoconf byacc

下載bash 4.2 版source code

cd ~
mkdir bash
cd bash
wget http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz
tar -xvzf bash-4.2.tar.gz
cd bash-4.2

檢查這個版本是尚未patch過的

cat patchlevel.h

你可以看到檔案內 #define PATCHLEVEL 0 表示沒有被patch過

接下來抓取各版本的patch 檔案

cd ..
wget -r -l 1 http://ftp.gnu.org/gnu/bash/bash-4.2-patches/

移除不必要的patch檔案

rm ftp.gnu.org/gnu/bash/bash-4.2-patches/*.sig
rm ftp.gnu.org/gnu/bash/bash-4.2-patches/index*

Patch Bash source code.

cd bash-4.2
for i in ~/bash/ftp.gnu.org/gnu/bash/bash-4.2-patches/*; do patch -p0 < $i; done

再檢查patchlevel.h 檔案, 確認已經patch過了

cat patchlevel.h

開始編譯source code

./configure
make

安裝Bash

首先備份舊的版本

cp /bin/bash /bin/bash.old

安裝bash

make install

或者是將目錄下的bash 檔覆蓋舊的bash檔案 也可以

cp bash /bin/bash

logout 後再login, 檢查bash 版本是否已經更新.

root@cb1:~# bash --version
GNU bash, version 4.2.53(1)-release (armv7l-unknown-linux-gnueabi)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
root@cb1camera:~#

嗯, 版本已經更新到4.2.53

再檢查是否還有shellshock漏洞

root@cb1:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

YA! 沒看到"vulnerable" 表示漏洞已經補好了.


參考資料

  1. Building Bash From Source
This entry was posted in Linux and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *