Linux – How to fix the Shellshock security vulnerability in debian testing/jessie

debianlinuxSecurityshellshock

The test command

x='() { :;}; echo vulnerable' bash

shows that my DebianĀ 8 (Jessie) installation is vulnerable, even with the latest updates. Research shows that there's a patch for stable and unstable, but that testing is unpatched.

I figure that the patch will make it to testing in a couple of days, but this actually looks nasty enough to be paranoid about. Is there any way to get the package from unstable and install it without breaking my system? Upgrading to unstable looks like it will cause more problems than it solves.


According to Bob, there is a second Shellshock vulnerability, which is fixed in a second patch. The test for it is supposed to be:

 env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("

But I'm not skilled enough in Bash to work out what this means or why it's a problem. At any rate, it does something weird, which is prevented by bash_4.3-9.2_amd64.deb on 64-bit systems, which at time of editing is in stable and unstable but not in Jessie/testing.

To fix this for Jessie, get the latest Bash from unstable and install it with dpkg -i.

Jemenake offers

wget http://ftp.debian.org/debian/pool/main/b/bash/bash_4.3-9.2_$(dpkg --print-architecture).deb

as a command which will get the 4.3-9.2 version for your machine.

And you can follow that with:

sudo dpkg -i bash_4.3-9.2_$(dpkg --print-architecture).deb

to install it.

Should you need further patches from unstable for your Jessie system, this is clearly the way to go (mutatis mutandis).

Best Answer

Download the package from unstable via this link. You can check the dependencies there as well, although it looks like the unstable bash has the same dependencies as the bash from testing. Install the downloaded deb with the following.

dpkg -i