Lewis' Blog Tales from the trenches of information technology

28Sep/143

Updating bash to patch Shellshock on discontinued CentOS 4.8

Download PDF

By now, this week's news of the Shellshock vulnerability has quieted to a bit of a rumble. What a mess, and to think that this exploit has been possible for such a long time...

What to do about old Linux distros, then? Yes, the rule of thumb is that if the distro is no longer widely supported, one should move off of it, or at least put it behind something more secure. But what if there is a single application which requires just that particular old distro, and will not play nicely with anything newer, and what if that particular app is proprietary, and no longer available?

I found myself in just this situation this week. I have an app running quite happily on CentOS 4.8 32-bit, and have seen no reason to replace it. CentOS 4.8 is still installable on modern hardware, so should a catastrophic hardware failure occur, I could get back up and running in a short period of time. The app (unfortunately) does have some exposure to the outside world, albeit over SSL (and no, Heartbleed is not a concern). However, there is some CGI involved, and this is what brought the situation to my immediate attention.

Using VirtualBox, I built both 32 and 64-bit CentOS 4.8 and 3.9 VMs, and applied the latest patches (through bash30-019 bash30-022 - CentOS 4.8 - and bash205b-013 - CentOS 3.9) to address the following:

CVE-2014-6271
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
CVE-2014-6277
CVE-2014-6278

(plus additional related fixes)

I've packaged updated RPMs on my FTP server, here. From the readme:

A comprehensive Shellshock test may be found here.

Notes:

The above test, when run on my systems, results in the following:

i386:

Testing /bin/bash ...
GNU bash, version 3.00.21(1)-release (i686-redhat-linux-gnu)

Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
Variable function parser inactive, likely safe from unknown parser bugs

x86_64:

Testing /bin/bash ...
GNU bash, version 3.00.21(1)-release (x86_64-redhat-linux-gnu)

Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
Variable function parser inactive, likely safe from unknown parser bugs

The post with several manual tests is here.

Also, the test for CVE-2014-7187 is inconclusive, due to the lack of an address sanitizer (gcc option -fsanitize=address). This feature was added to gcc 4.8, and these builds were made with gcc 3.4.6, thus no address sanitizer was available. I'm open to suggestions (short of trying to build gcc 4.8 on CentOS 4.8).

More discussion on these builds may be found here.

Finally, I've uploaded the latest spec files to my FTP server, for the curious and the do-it-yourself-ers. (Thanks for the suggestion, Justin!)

I hope they prove useful. Good luck!

Comments (3) Trackbacks (0)
  1. Updated to include Patch 20, which addresses CVE-2014-6278 (patch for 6277 still pending). See FTP server link above, and be sure to check the updated readme. We expect at least one more round of patches, and I'll likely update the post itself to include the later information.

  2. Updated to include Patches 21 and 22 (for bash 3.0) and through Patch 13 (for bash 2.05b). Follow the FTP link above to download binaries and readmes relevant to the different CentOS versions (simply go to the /pub/CentOS/3.9 directory for the older ones).

    We'll see what other patches may come through for these, and I'll try to keep up as best I can.

  3. Updated to mention builds for CentOS 3.9 and availability of spec files.


Leave a comment

No trackbacks yet.