Skip to content

Instantly share code, notes, and snippets.

@bahlale

bahlale/bash_upgrade.sh

Last active August 29, 2015 14:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bahlale/075eca8093283a296c6f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bahlale/075eca8093283a296c6f to your computer and use it in GitHub Desktop.
Download ZIP
Bash Upgrade
Raw
bash_upgrade.sh
#!/bin/bash
# Recommend to upgrade Bash package through respective OS vendor channels
# apt-get install --only-upgrade bash (or) yum -y update bash
# This script for updating Bash package if apt-get or yum not woking due to unexpected reasons
# Trying to maintain the exact Bash package from OS vendors to avoid future upgrade issues
centos_bash_upgrade(){
centos_ver=$(cat /etc/issue | awk -F '[ .]' 'NR==1{print $3}')
if [ "$centos_ver" -eq 4 ]; then
echo -e "\n \t CentOS 4 found"
centos4_rpm_build
elif [ "$centos_ver" -eq 5 ]; then
echo -e "\n \t CentOS 5 found, Installing Bash Packages \n"
wget -q http://mirror.centos.org/centos/5.10/updates/x86_64/RPMS/bash-3.2-33.el5_10.4.x86_64.rpm
rpm - Uvh bash-3.2-33.el5_10.4.x86_64.rpm
rm -rf bash-3.2-33.el5_10.4.x86_64.rpm
elif [ "$centos_ver" -eq 6 ]; then
echo -e "\n \t CentOS 6 found, Installing Bash Packages \n"
wget -q http://mirror.centos.org/centos/6.5/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm
wget -q http://mirror.centos.org/centos/6.5/updates/x86_64/Packages/bash-doc-4.1.2-15.el6_5.2.x86_64.rpm
rpm -Uvh bash-4.1.2-15.el6_5.2.x86_64.rpm
rpm -Uvh bash-doc-4.1.2-15.el6_5.2.x86_64.rpm
rm -rf bash-4.1.2-15.el6_5.2.x86_64.rpm bash-doc-4.1.2-15.el6_5.2.x86_64.rpm
elif [ "$centos_ver" -eq 7 ]; then
echo -e "\n \t CentOS 7 found, Installing Bash Packages \n"
wget -q http://mirror.centos.org/centos/7.0.1406/updates/x86_64/Packages/bash-4.2.45-5.el7_0.4.x86_64.rpm
wget -q http://mirror.centos.org/centos/7.0.1406/updates/x86_64/Packages/bash-doc-4.2.45-5.el7_0.4.x86_64.rpm
rpm -ivh bash-4.2.45-5.el7_0.4.x86_64.rpm
rpm -ivh bash-doc-4.2.45-5.el7_0.4.x86_64.rpm
rm -rf bash-4.2.45-5.el7_0.4.x86_64.rpm bash-doc-4.2.45-5.el7_0.4.x86_64.rpm
else
echo -e "\n \t CentOS Older version found"
bash_compile_install
fi
}
ubuntu_bash_upgrade(){
ubuntu_ver=$(cat /etc/issue | awk 'NR==1 {print $2}' | cut -b 1-5)
if [ "$ubuntu_ver" == 8.04 ] || [ "$ubuntu_ver" == 8.04. ] || [ "$ubuntu_ver" == hardy ]; then
# Hardy
echo -e "\n \t Ubuntu Hardy found, installing the Bash Package \n"
if ! dpkg-query -W patch ;then
wget -q http://archive.kernel.org/debian-archive/debian/pool/main/p/patch/patch_2.5.9-4_$(dpkg --print-architecture).deb
dpkg -i patch_2.5.9-4_$(dpkg --print-architecture).deb
rm -rf patch_2.5.9-4_$(dpkg --print-architecture).deb
elif ! pkg-query -W gcc ;then
wget -q ftp://ftp.gnome.org/mirror/temp/ubuntu-test/pool/main/g/gcc-defaults/gcc_4.2.3-1ubuntu6_$(dpkg --print-architecture).deb
dpkg -i gcc_4.2.3-1ubuntu6_$(dpkg --print-architecture).deb
rm -rf gcc_4.2.3-1ubuntu6_$(dpkg --print-architecture).deb
fi > /dev/null 2>&1
bash_compile_install
elif [ "$ubuntu_ver" == 10.04 ]; then
# Lucid
echo -e "\n \t Ubuntu Lucid found, installing the Bash Package \n"
wget -q http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.1-2ubuntu3.4_$(dpkg --print-architecture).deb
wget -q http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash-doc_4.1-2ubuntu3.2_all.deb
dpkg -i bash_4.1-2ubuntu3.4_$(dpkg --print-architecture).deb
dpkg -i bash-doc_4.1-2ubuntu3.2_all.deb
rm -rf bash_4.1-2ubuntu3.4_$(dpkg --print-architecture).deb bash-doc_4.1-2ubuntu3.2_all.deb
elif [ "$ubuntu_ver" == 12.04 ]; then
# Precise
echo -e "\n \t Ubuntu Precise found, installing the Bash Package \n"
wget -q http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.2-2ubuntu2.5_$(dpkg --print-architecture).deb
wget -q http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash-doc_4.2-2ubuntu2.5_all.deb
dpkg -i bash_4.2-2ubuntu2.5_$(dpkg --print-architecture).deb
dpkg -i bash-doc_4.2-2ubuntu2.5_all.deb
rm -rf bash_4.2-2ubuntu2.5_$(dpkg --print-architecture).deb bash-doc_4.2-2ubuntu2.5_all.deb
elif [ "$ubuntu_ver" == 14.04 ]; then
# Trusty
echo "\n \t OS is Ubuntu Trusty, installing the Bash Package \n"
wget -q http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.3-7ubuntu1.4_$(dpkg --print-architecture).deb
wget -q http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash-doc_4.3-7ubuntu1.4_all.deb
dpkg -i bash_4.3-7ubuntu1.4_$(dpkg --print-architecture).deb
dpkg -i bash-doc_4.3-7ubuntu1.4_all.deb
rm -rf bash_4.3-7ubuntu1.4_$(dpkg --print-architecture).deb bash-doc_4.3-7ubuntu1.4_all.deb
else
echo -e "\n \t Unsupported Ubuntu Version, new Bash will may not support further upgrade for bash \n"
bash_compile_install
fi
}
ubuntu_latest_deb(){
wget -q http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash-doc_4.3-9ubuntu3_all.deb
wget -q http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.3-9ubuntu3_$(dpkg --print-architecture).deb
dpkg -i bash-doc_4.3-9ubuntu3_all.deb
dpkg -i bash_4.3-9ubuntu3_$(dpkg --print-architecture).deb
}
centos4_rpm_build(){
# Code from http://serverfault.com/questions/631055/how-do-i-patch-rhel-4-for-the-bash-vulnerabilities-in-cve-2014-6271-and-cve-2014
echo -e "\n \t Building RPM from Source it will take some time"
wget -q http://ftp.redhat.com/redhat/linux/updates/enterprise/4ES/en/os/SRPMS/bash-3.0-27.el4.src.rpm
rpm -ivh bash-3.0-27.el4.src.rpm
rm -rf bash-3.0-27.el4.src.rpm
cd /usr/src/redhat/SOURCES/
wget -q http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-017
echo "4c4
< Release: 27%{?dist}
---
> Release: 27.2%{?dist}
28a29
> Patch17: bash30-017
110c111,112
< #%patch16 -p0 -b .016
---
> %patch16 -p0 -b .016
> %patch17 -p0 -b .017" > /root/bash_patch.diff
patch ../SPECS/bash.spec /root/bash_patch.diff
rpmbuild -ba ../SPECS/bash.spec
rpm -Uvh ../RPMS/i386/bash-3.0-27.2.i386.rpm
rm -rf bash*
rm -rf dot-bash*
rm -rf ../RPMS/i386/bash-3.0-27.2.i386.rpm
rm -rf /root/bash_patch.diff
}
bash_compile_install(){
while true; do
read -p "Do you want to compile and install Bash?: " yn
case $yn in
[Yy]* )
# Code from https://news.ycombinator.com/item?id=8364385
echo -e "\n \t Compiling will take time, please wait"
mkdir /root/bash_src
cd /root/bash_src
wget -q http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
for i in $(seq -f "%03g" 0 28); do
wget -q http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i;
done
tar zxf bash-4.3.tar.gz
cd bash-4.3
for i in $(seq -f "%03g" 0 28); do
patch -p0 < ../bash43-$i;
done
./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc && make && make install
cd ~
rm -rf /root/bash_src
break;;
[Nn]* ) check_bash_status; exit;;
* ) echo "Please answer yes or no.";;
esac
done
}
check_bash_status(){
bash_status=$(env x='() { :;}; echo vulnerable' bash -c "echo this is a test" | grep -c vulnerable)
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
if [ "$bash_status" -eq 0 ]; then
if [ -f /tmp/echo ]; then
clear;
echo -e "\n \t Bash is still affected with Bash file creation bug CVE-2014-7169 \n"
exit 2;
else
clear;
echo -e "\n \t Now, Bash is protected \n"
exit 0;
fi
else
clear;
echo -e "\n \t Bash is NOT upgraded and vulnerability still exist \n"
exit 2;
fi
}
os=$(cat /etc/issue | awk -F '[ ]' 'NR==1{print $1}')
if [ "$os" == Ubuntu ]; then
ubuntu_bash_upgrade
elif [ "$os" == CentOS ]; then
centos_bash_upgrade
else
echo -e "\n \t Unsupported OS, new Bash will may not support your existing OS vendor package \n"
bash_compile_install
fi
check_bash_status
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment