patching bash shell shock bug from source

Question

I am running a non-standard version of Ubuntu and I tried to patch the shell shock bug by downloading and recompiling from the source, following the instructions from https://news.ycombinator.com/item?id=8364385 . After make install, running bash --version shows 4.3.24(2). But when running the bug test:

env var='() { :;}; echo vulnerable' bash -c /bin/true

is still printing vulnerable . Am I doing something wrong?

Answer 1

It's most likely that you didn't install the new bash in the right place. Or that you didn't manage to install it at all.

make install will only work if you're running as root. Normally, you would need to do

sudo make install

If you don't, you'll see an error message:

$ make install

          ***********************************************************
          *                                                         *
          * GNU bash, version 4.3.25(1)-release (x86_64-unknown-linux-gnu)
          *                                                         *
          ***********************************************************

mkdir -p -- /usr/local/share/doc/bash
mkdir: cannot create directory ‘/usr/local/share/doc/bash’: Permission denied
make: *** [installdirs] Error 1

which means that the software wasn't installed. (You only need to redo the install step.)

Also, by default, the bash build files will install your new bash as /usr/local/bin/bash, while your old bash will continue to exist in /usr/bin/bash. Check which bash is being run by typing:

which bash

Answer 2

4.3.24 is from August 2014; you need 4.3.25.