UPDATE: the packages mentioned in this post contained an incomplete fix. See this newer post for more details and how to get the updated packages that contain the fix
The Red Hat security blog just posted a detailed article on the recently discovered flaw CVE-2014-6271 in bash that is being referred to as “Shellshock”. Be sure to check out the article if you want to learn a little bit more about the issue. Otherwise, be sure to update your Fedora system to get the most recent version of Bash that fixes this issue. The updates are still working their way through the Fedora updates system, so you might not be able to update yet, but they should be coming through ASAP.
Shell based off “Shell” – CC-BY 3.0 by Guillaume Kurkdjian — http://thenounproject.com/term/shell/40512/ — this remix is also CC-BY 3.0
You can check to see if your bash shell is vulnerable by running the command:
env x='() { :;}; echo OOPS' bash -c /bin/true
And if that command returns OOPS, then your bash shell is vulnerable. If you are running a patched bash, output should look something like:
bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x'
Alternatively, you can run the following command on your system to check which version of bash installed :
rpm -q bash
and make sure it is not older than:
Fedora 19: bash-4.2.47-2.fc19
Fedora 20: bash-4.2.47-4.fc20
Fedora 21: bash-4.3.22-3.fc21
Perhaps you don’t want to wait for the updates to make their way through the signing and mirroring systems. If not, you can download them right away from the official Fedora package build system and install them, using the following commands:
Fedora 21 Alpha
Run these commands:
su -c "yum -y install koji" # provide root password... koji download-build --arch=$(uname -m) bash-4.3.22-3.fc21 su -c "yum localinstall bash-4.3.22-3.fc21.$(uname -m).rpm" # provide root password again...
Fedora 20
Run these commands:
su -c "yum -y install koji" # provide root password... koji download-build --arch=$(uname -m) bash-4.2.47-4.fc20 su -c "yum localinstall bash-4.2.47-4.fc20.$(uname -m).rpm" # provide root password again...
Fedora 19
Run these commands:
su -c "yum -y install koji" # provide root password... koji download-build --arch=$(uname -m) bash-4.2.47-2.fc19 su -c "yum localinstall bash-4.2.47-2.fc19.$(uname -m).rpm" # provide root password again...
Tushar Kumar
As soon as this post update arrived in my inbox I checked my system if it was vulnerable. I was busy doing programming and didn’t realized that my bash was acting weird. Every time I execute any command, its displaying 7 lines of extra text. Such as:
Vte prompt command
Vte osc7
Vte urlencode $pwd
This is just rough text to give you an idea.
What do I do now? Long lasting trust was a bit harmed today. Do I reinstall fedora?
Matthew Miller
Tushar, without further information, it does seem like that might be a symptom of someone trying to exploit the flaw, possibly successfully. It might help if you could give the exact text. I do recommend reinstalling. Are you running a web server with CGI enabled (or PHP) on your system, exposed to the world? And is it running as your user? That’s a likely vector of a real attack.
As for trust — you can’t trust the Internet. There are always attackers out there. We try to get you security updates as fast as you can (while still testing to make sure we don’t accidentally make the problem worse). All other distros are in the same situation (as are all other operating system vendors, for that matter.
s.wilson
Saw the same thing. No servers running. Noticed it after the update.
reports Bash version 4.2.48.
reports bash-4.2.48-2.fc20.i686.
This happened randomly. I was exiting a terminal with the exit command and saw those seven lines. Later, I was doing a simple
and saw the seven lines. They eventually stop. But I am curious.
Any ideas? Posting to ask.fedoraproject.og.
DevilishDB
I’ve just installed the Fedora 21 version of this package on my Debian 8 (testing) laptop, it’s fixed the problem fine.
jp
I guess I’m reaping some benefits in using zsh as my default shell
PHMNLPU0582% bash –version
GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
PHMNLPU0582% env x='() { :;}; echo OOPS’ bash -c /bin/true
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
PHMNLPU0582% echo $SHELL
/bin/zsh
PHMNLPU0582% zsh –version
zsh 5.0.2 (x86_64-pc-linux-gnu)
PHMNLPU0582% uname -a
Linux PHMNLPU0582 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Matthew Miller
Unfortunately, this doesn’t really help, as long as network system processes (dhclient is a big one for clients) are using bash.
scavenger
thanks… and what about fedora 16 ?
scavenger
Anyway, the bug is not affecting everyone on the web, but only those having specific websites using (insecure) cgi-bin.
Why are people so crazy about it… For myself, I won’t update bash. I don’t see the necessity.