Flaw CVE-2014-6271 discovered in the Bash shell — update your Fedora systems

UPDATE: the packages mentioned in this post contained an incomplete fix. See this newer post for more details and how to get the updated packages that contain the fix

The Red Hat security blog just posted a detailed article on the recently discovered flaw CVE-2014-6271 in bash that is being referred to as “Shellshock”. Be sure to check out the article if you want to learn a little bit more about the issue. Otherwise, be sure to update your Fedora system to get the most recent version of Bash that fixes this issue. The updates are still working their way through the Fedora updates system, so you might not be able to update yet, but they should be coming through ASAP.

Shell based off "Shell" - CC-BY 3.0 by Guillaume Kurkdjian -- http://thenounproject.com/term/shell/40512/

Shell based off “Shell” – CC-BY 3.0 by Guillaume Kurkdjian — http://thenounproject.com/term/shell/40512/ — this remix is also CC-BY 3.0

You can check to see if your bash shell is vulnerable by running the command:

env x='() { :;}; echo OOPS' bash -c /bin/true

And if that command returns OOPS, then your bash shell is vulnerable. If you are running a patched bash, output should look something like:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

Alternatively, you can run the following command on your system to check which version of bash installed :

rpm -q bash

and make sure it is not older than:

Fedora 19: bash-4.2.47-2.fc19
Fedora 20: bash-4.2.47-4.fc20
Fedora 21: bash-4.3.22-3.fc21

Perhaps you don’t want to wait for the updates to make their way through the signing and mirroring systems. If not, you can download them right away from the official Fedora package build system and install them, using the following commands:

Fedora 21 Alpha

Run these commands:

su -c "yum -y install koji"   # provide root password...
koji download-build --arch=$(uname -m) bash-4.3.22-3.fc21
su -c "yum localinstall bash-4.3.22-3.fc21.$(uname -m).rpm"   # provide root password again...

Fedora 20

Run these commands:

su -c "yum -y install koji"   # provide root password...
koji download-build --arch=$(uname -m) bash-4.2.47-4.fc20
su -c "yum localinstall bash-4.2.47-4.fc20.$(uname -m).rpm"   # provide root password again...

Fedora 19

Run these commands:

su -c "yum -y install koji"   # provide root password...
koji download-build --arch=$(uname -m) bash-4.2.47-2.fc19
su -c "yum localinstall bash-4.2.47-2.fc19.$(uname -m).rpm"   # provide root password again...

Fedora Project community

8 Comments

  1. Tushar Kumar

    As soon as this post update arrived in my inbox I checked my system if it was vulnerable. I was busy doing programming and didn’t realized that my bash was acting weird. Every time I execute any command, its displaying 7 lines of extra text. Such as:

    Vte prompt command
    Vte osc7
    Vte urlencode $pwd

    This is just rough text to give you an idea.

    What do I do now? Long lasting trust was a bit harmed today. Do I reinstall fedora?

    • Tushar, without further information, it does seem like that might be a symptom of someone trying to exploit the flaw, possibly successfully. It might help if you could give the exact text. I do recommend reinstalling. Are you running a web server with CGI enabled (or PHP) on your system, exposed to the world? And is it running as your user? That’s a likely vector of a real attack.

      As for trust — you can’t trust the Internet. There are always attackers out there. We try to get you security updates as fast as you can (while still testing to make sure we don’t accidentally make the problem worse). All other distros are in the same situation (as are all other operating system vendors, for that matter.

    • s.wilson

      Saw the same thing. No servers running. Noticed it after the update.

      yum info bash

      reports Bash version 4.2.48.

      rpm -qa | grep bash

      reports bash-4.2.48-2.fc20.i686.

      This happened randomly. I was exiting a terminal with the exit command and saw those seven lines. Later, I was doing a simple

      ls

      and saw the seven lines. They eventually stop. But I am curious.

      Any ideas? Posting to ask.fedoraproject.og.

  2. I’ve just installed the Fedora 21 version of this package on my Debian 8 (testing) laptop, it’s fixed the problem fine.

  3. jp

    I guess I’m reaping some benefits in using zsh as my default shell

    PHMNLPU0582% bash –version
    GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
    Copyright (C) 2013 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later

    This is free software; you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    PHMNLPU0582% env x='() { :;}; echo OOPS’ bash -c /bin/true
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x’
    PHMNLPU0582% echo $SHELL
    /bin/zsh
    PHMNLPU0582% zsh –version
    zsh 5.0.2 (x86_64-pc-linux-gnu)
    PHMNLPU0582% uname -a
    Linux PHMNLPU0582 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

    • Unfortunately, this doesn’t really help, as long as network system processes (dhclient is a big one for clients) are using bash.

  4. scavenger

    thanks… and what about fedora 16 ?

  5. scavenger

    Anyway, the bug is not affecting everyone on the web, but only those having specific websites using (insecure) cgi-bin.
    Why are people so crazy about it… For myself, I won’t update bash. I don’t see the necessity.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions