Today’s announcement of the Shellshock Bash vulnerability had me worried. I run lots of Debian Linux systems, and they’re not all the latest version. Many are still Debian Squeeze (version 6) which no longer gets security updates as standard. That’s my fault, of course, and I should have upgraded, but I haven’t. Yet. Now I’m more motivated to do it. However, upgrading to Debian Wheezy (version 7) isn’t something I wanted to do in a hurry, especially on remote machines.
Debian have thought of people like me, and there is a ‘Long Term Support‘ option for Debian Squeeze, which is great, and includes the necessary security update to Bash. The trouble is, it only supports i386 and amd64 processors, and the machines I’m worried about are ARM (specifically armel) ones.
I was left with one option: build the new Bash from source. Fortunately, Debian Squeeze LTS has the source available, so I was able to do this. Here’s how. This might be useful to other Debian ARM users who are none too fastidious about keeping up to date.
I added the line
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free
to /etc/apt/sources.list, and did
apt-get update apt-get source bash
which fetched the source code. Then I had to build it.
cd bash-4.1 dpkg-buildpackage -b -us -uc
This complained bitterly about a load of missing dependencies, which I dealt with:
sudo apt-get install autoconf autotools-dev bison libncurses5-dev debhelper texi2html gettext sharutils texlive-latex-base ghostscript
which was a royal pain due to lack of disc space. Beware, these packages want about 180MB of disc space (plus about 80MB for the package downloads) so might need some care on a small system. I started by installing packages individually, doing ‘apt-get clean’ after each one, but texlive-latex-base is an absolute monster and I had to do some filesystem reshuffling to get it to install. I hope you don’t have to.
During the build (repeating the dpkg-buildpackage command above) the patch for ‘CVE-2014-6271‘ was mentioned, which was reassuring. The actual build process took a while – about half an hour on a 1GHz-ish ARM chip (a SheevaPlug).
The build completed successfully, so I was able to install the new package:
cd .. sudo dpkg -i bash_4.1-3+deb6u1_armel.deb
and then start a new shell and try the test:
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
on a ‘broken’ version of Bash, this will print
busted completed
but on a fixed one, it prints
/bin/bash: warning: X: ignoring function definition attempt /bin/bash: error importing function definition for `X' completed
which is the right answer, and means that the vulnerability is patched. It worked!
I hear that the fix isn’t complete, though, so more work may be required later.
martinjonestechnology 
Thanks for the post! I too have a couple of armel systems still on 6.0. I didn’t have to install tex however, possibly because I used the –no-install-recommends when I installed the build dependencies.
And as you say, the fix isn’t yet complete – for example the following will still print the date, even though /dev/stdout is not a command:
env X=”() { (a)=>\\” bash -c ‘/dev/stdout date’
You’re welcome! I’m glad it was useful. The –no-install-recommends trick would have saved me a whole load of hassle if it avoided some of the bigger packages. Good idea.
Just a quick note to say that the CVE-2014-7169 fix has now showed up in the 6.0 LTS source – rebuilding again…
Ah, good. Thank you for the note. I’m rebuilding again too…
Much thanks! I also needed it for my sheevaplug.
In order to install the dependencies I ran:
sudo apt-get build-dep –no-install-recommends bash
Thanks for the detailed gide! I didn’t have a enough disk space on the ARM device either, so set up a Qemu virtual machine for compiling. There are good instructions at http://www.aurel32.net/info/debian_arm_qemu.php for this, and also complete Debian Squeeze images at https://people.debian.org/~aurel32/qemu/armel/ . With the debian_squeeze_armel_standard.qcow2 image compilation worked fine, and the result could be installed on a Marvell Kirkwood system.
Btw. after building and installing the latest LTS source (bash 4.1-3+deb6u2) under ARM, your test line doesn’t print any errors at all (just “completed”). This is the same behavior I get on a real Squeeze LTS x86_64 system and also with bash 4.2-2ubuntu2.5 under Ubuntu. Kinda lost track of the many new Bash CVEs and bugfixes by now, but hopefully the Debian and Ubuntu maintainers have really put all necessary fixes in these packages 🙂
Pingback: Dealing with Shellshock on Debian Squeeze for ARM - ServerAB