The Shellshock Bash Bug

The Shellshock Bash Bug

Uhhhh - it's scary times!
Luckily Steve Jenkins did a master piece on patching Bash and here it is :)


1: vulnerable?

First you should definitely test to see if you are at all vulnerable
You test it like this:

test 1
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

if you see 'vulnerable' in the output - skip right to step 2! Otherwise keep testing

test 2
cd /tmp; env X='() { (a)=>\' bash -c "echo date"; cat echo

if you see 'date' and nothing else in the output - you in the green and run test 3!

test 3
env -i X=' () { }; echo hello' bash -c 'date'

if you see 'hello' - skip to step 2!

test 4
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"

if you see vulnerable - skip to step 2!

test 5
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

if you see don't see 'vulnerable' - you're green!

2: Prepare for patching

Make a copy of bash by giving this command:

sudo cp `which bash` ~/bash-unpatched-copy

Determine version by

bash --version

Setup patching environment

mkdir /usr/local/src/bashfix
cd /usr/local/src/bashfix

Get tools

sudo yum install patch byacc bison autoconf

Download Bash source

tar zxvf bash-4.2.tar.gz
cd bash-4.2
3: Get patches

Get the patches and apply them by downloading this script, make it executable and edit it to reflect the Bash version, and the number of patched


Finally apply the patches with

4: Build new Bash

Keep an eye on that monitor – but if everything looks dandy you go build that bash with


Does that even prove to fly - better throw that new bash in place with

sudo cp -f bash /bin/bash
5: Test again

Test like before - and when green all the way - read on here!