Dealing with Shellshock on Debian Squeeze for ARM

Today’s announcement of the Shellshock Bash vulnerability had me worried. I run lots of Debian Linux systems, and they’re not all the latest version. Many are still Debian Squeeze (version 6) which no longer gets security updates as standard. That’s my fault, of course, and I should have upgraded, but I haven’t. Yet. Now I’m more motivated to do it. However, upgrading to Debian Wheezy (version 7) isn’t something I wanted to do in a hurry, especially on remote machines.

Debian have thought of people like me, and there is a ‘Long Term Support‘ option for Debian Squeeze, which is great, and includes the necessary security update to Bash. The trouble is, it only supports i386 and amd64 processors, and the machines I’m worried about are ARM (specifically armel) ones.

I was left with one option: build the new Bash from source. Fortunately, Debian Squeeze LTS has the source available, so I was able to do this. Here’s how. This might be useful to other Debian ARM users who are none too fastidious about keeping up to date.

I added the line

deb-src http://http.debian.net/debian squeeze-lts main contrib non-free

to /etc/apt/sources.list, and did

apt-get update
apt-get source bash

which fetched the source code. Then I had to build it.

cd bash-4.1
dpkg-buildpackage -b -us -uc

This complained bitterly about a load of missing dependencies, which I dealt with:

sudo apt-get install autoconf autotools-dev bison libncurses5-dev debhelper texi2html gettext sharutils texlive-latex-base ghostscript

which was a royal pain due to lack of disc space. Beware, these packages want about 180MB of disc space (plus about 80MB for the package downloads) so might need some care on a small system. I started by installing packages individually, doing ‘apt-get clean’ after each one, but texlive-latex-base is an absolute monster and I had to do some filesystem reshuffling to get it to install. I hope you don’t have to.

During the build (repeating the dpkg-buildpackage command above) the patch for ‘CVE-2014-6271‘ was mentioned, which was reassuring. The actual build process took a while – about half an hour on a 1GHz-ish ARM chip (a SheevaPlug).

The build completed successfully, so I was able to install the new package:

cd ..
sudo dpkg -i bash_4.1-3+deb6u1_armel.deb

and then start a new shell and try the test:

env X="() { :;} ; echo busted" `which bash` -c "echo completed"

on a ‘broken’ version of Bash, this will print

busted
completed

but on a fixed one, it prints

/bin/bash: warning: X: ignoring function definition attempt
/bin/bash: error importing function definition for `X'
completed

which is the right answer, and means that the vulnerability is patched. It worked!

I hear that the fix isn’t complete, though, so more work may be required later.

Advertisements

7 thoughts on “Dealing with Shellshock on Debian Squeeze for ARM

  1. Johny

    Thanks for the post! I too have a couple of armel systems still on 6.0. I didn’t have to install tex however, possibly because I used the –no-install-recommends when I installed the build dependencies.

    And as you say, the fix isn’t yet complete – for example the following will still print the date, even though /dev/stdout is not a command:

    env X=”() { (a)=>\\” bash -c ‘/dev/stdout date’

    Reply
      1. Johny

        Just a quick note to say that the CVE-2014-7169 fix has now showed up in the 6.0 LTS source – rebuilding again…

  2. Mark Isin

    Much thanks! I also needed it for my sheevaplug.

    In order to install the dependencies I ran:
    sudo apt-get build-dep –no-install-recommends bash

    Reply
  3. oliver

    Thanks for the detailed gide! I didn’t have a enough disk space on the ARM device either, so set up a Qemu virtual machine for compiling. There are good instructions at http://www.aurel32.net/info/debian_arm_qemu.php for this, and also complete Debian Squeeze images at https://people.debian.org/~aurel32/qemu/armel/ . With the debian_squeeze_armel_standard.qcow2 image compilation worked fine, and the result could be installed on a Marvell Kirkwood system.

    Btw. after building and installing the latest LTS source (bash 4.1-3+deb6u2) under ARM, your test line doesn’t print any errors at all (just “completed”). This is the same behavior I get on a real Squeeze LTS x86_64 system and also with bash 4.2-2ubuntu2.5 under Ubuntu. Kinda lost track of the many new Bash CVEs and bugfixes by now, but hopefully the Debian and Ubuntu maintainers have really put all necessary fixes in these packages 🙂

    Reply
  4. Pingback: Dealing with Shellshock on Debian Squeeze for ARM - ServerAB

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s