Shellshock Fix for Solaris 11

NOTE: Oracle continue to release official patches as they become available. If you have access to the support repository, a pkg update will install the latest official version.

UPDATE: The Bash version and method to patch has been updated. If /opt is on a different filesystem to /usr the fix below may not be suitable.

The actual bash and bashbug binaries can be downloaded from http://www.solarismultimedia.com/files/bash.tar.gz. You can use these binaries if you only want to replace /usr/bin/bash and /usr/bin/bashbug. Below is the alternative fix that should be used if you're running Solaris 11.

The binary is version 4.1.17(2) which includes all known Shellshock patches as of posting (09 Oct 2014).

Please note that I have only done limited testing. Ensure that you install the official updates from Oracle as they become available.

All steps below need to be done by a user with elevated privileges.

If you've already added my repository to your Solaris 11 installation the following command will install Bash 4.1.17(2).

pkg install bash-41

For the instructions below replace {extension for backup file} with something like "vulnerable", eg.

EXTENSION=vulnerable

Your original files will then be renamed to bash.vulnerable and bashbug.vulnerable.

EXTENSION={extension for backup files}
mv -i /usr/bin/bash /usr/bin/bash.${EXTENSION}
mv -i /usr/bin/bashbug /usr/bin/bashbug.${EXTENSION}
chmod a-x /usr/bin/bash.${EXTENSION}
chmod a-x /usr/bin/bashbug.${EXTENSION}
ln -s /opt/SMM/bash-41/bin/bash /usr/bin/bash
ln -s /opt/SMM/bash-41/bin/bashbug /usr/bin/bashbug
# --- check the new shell before logging out
/usr/bin/bash
set | grep VERSION  # --- Next line is the output
BASH_VERSION='4.1.17(2)-release'
exit

Log out and then back in to start a new session with the new version.

Check version and do the vulnerability tests.

Version
which bash  # --- Next line is the output
/usr/bin/bash
bash --version  # --- Next six lines are the output
GNU bash, version 4.1.17(2)-release (i386-pc-solaris2.11)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
CVE-2014-6271
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"  # --- Next line is the output
this is a test
CVE-2014-7169
env X='() { (a)=>\' bash -c "echo date"; cat echo; rm ./echo   # --- Next three lines are the output
date
cat: cannot open echo: No such file or directory
rm: ./echo: No such file or directory
CVE-2014-6277 and CVE-2014-6278
foo='() { echo not patched; }' bash -c foo  # --- Next line is the output
bash: foo: command not found
CVE-2014-7186
bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='" # --- Next three lines are the output
1 () {
2
f=1
CVE-2014-7187
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"  # --- You should see no lines of output

The above output means that your bash is no longer vulnerable to known "Shellshock" exploits (at the time of posting).

Regards

Murray