ShellShock - Fix Bash on Debian Lenny

root's picture

I guess you are here because of the ShellShock wave and you want to fix your Debian Lenny system. No worries, read on.
If you have Debian Squeeze, follow this link: http://tar.gz.ro/debian-squeeze-bash-shellshock.html

[UPDATE]: if this tutorial is not working for you, just go directly to point 5 at the end. There is another way. Also, the point 5 covers even the older versions: woody (3.0), sarge (3.1) and etch (4.0).

How to upgrade Bash on Debian Lenny:
1. Replace lenny with wheezy in /etc/apt/sources.list or just save the current file and overwrite it with the following:

############################################################
################### OFFICIAL DEBIAN REPOS ###################
#############################################################

###### Debian Main Repos
deb http://ftp.debian.org/debian/ wheezy main contrib non-free
deb-src http://ftp.debian.org/debian/ wheezy main contrib non-free

###### Debian Update Repos
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb http://ftp.debian.org/debian/ wheezy-proposed-updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://ftp.debian.org/debian/ wheezy-proposed-updates main contrib non-free

2. Run aptitude update

3. If you attempt to install only Bash (like in squeeze), you will get error (apt-get install --only-upgrade bash):

egg:~# apt-get install --only-upgrade bash
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libc6-dev : Breaks: gcc-4.4 (< 4.4.6-4) but 4.4.5-8 is to be installed
E: Broken packages

Instead, you will have to install (upgrade) also libc6 as follows:

egg:~# apt-get install --only-upgrade bash libc6-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  cpp-4.4 g++-4.4 gcc-4.4 gcc-4.4-base gcc-4.7-base libc-bin libc-dev-bin libc6 libc6-i686 libgcc1 libgmp10 libgomp1 libmpfr4 libstdc++6 libstdc++6-4.4-dev libtinfo5 locales make multiarch-support pkg-config
Suggested packages:
  bash-doc gcc-4.4-locales g++-4.4-multilib gcc-4.4-doc libstdc++6-4.4-dbg gcc-4.4-multilib libmudflap0-4.4-dev libgcc1-dbg libgomp1-dbg libmudflap0-dbg libcloog-ppl0 libppl-c2 libppl7 glibc-doc libstdc++6-4.4-doc
  make-doc
The following packages will be REMOVED:
  gcc-4.3
The following NEW packages will be installed:
  gcc-4.7-base libgmp10 libtinfo5 multiarch-support
The following packages will be upgraded:
  bash cpp-4.4 g++-4.4 gcc-4.4 gcc-4.4-base libc-bin libc-dev-bin libc6 libc6-dev libc6-i686 libgcc1 libgomp1 libmpfr4 libstdc++6 libstdc++6-4.4-dev locales make pkg-config
18 upgraded, 4 newly installed, 1 to remove and 349 not upgraded.
Need to get 33.9 MB of archives.
After this operation, 2,166 kB disk space will be freed.
Do you want to continue [Y/n]? y
[...]

4. Check bash and find out it is no more vulnerable:

egg:~# env x='() { :;}; echo Bash is vulnerable!' bash -c "echo PS: this is just a test..."
PS: this is just a test...

4. Put back lenny in /etc/apt/sources.list (or restore the previously saved file) and run again aptitude update

5. If this tutorial doesn't work for you, there are packages created for woody (3.0), sarge (3.1), etch (4.0) and lenny (5.0): http://ftp.linux.it/pub/People/md/bash/

venus:~# wget http://ftp.linux.it/pub/People/md/bash/bash_3.2-4.2_amd64.deb
--2014-10-01 23:46:08--  http://ftp.linux.it/pub/People/md/bash/bash_3.2-4.2_amd64.deb
Resolving ftp.linux.it... 213.92.8.5
Connecting to ftp.linux.it|213.92.8.5|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 643816 (629K) [application/x-debian-package]
Saving to: `bash_3.2-4.2_amd64.deb'

100%[===============================================================>] 643,816      932K/s   in 0.7s    

2014-10-01 23:46:09 (932 KB/s) - `bash_3.2-4.2_amd64.deb' saved [643816/643816]

venus:~# dpkg -i bash_3.2-4.2_amd64.deb 
(Reading database ... 57038 files and directories currently installed.)
Preparing to replace bash 3.2-4 (using bash_3.2-4.2_amd64.deb) ...
Unpacking replacement bash ...
Setting up bash (3.2-4.2) ...
Processing triggers for man-db ...
venus:~# env x='() { :;}; echo Bash is vulnerable!' bash -c "echo PS: this is just a test..."
PS: this is just a test...

Thou shalt not steal!

If you want to use this information on your own website, please remember: by doing copy/paste entirely it is always stealing and you should be ashamed of yourself! Have at least the decency to create your own text and comments and run the commands on your own servers and provide your output, not what I did!

Or at least link back to this website.