CVE-2014-6277 is still vulnerable after fixbash about shellshocker HOT 29 CLOSED

The error seems to come from the cp /bin/bash /usr/local/bin/bash, when I force it it fully overwrites the bash binary and the CVE is fixed.
The command outputs an error: Text file busy

from shellshocker.

it also seems, on some distros that you need to have some components of build-essential, in addition to gcc, patch, make, curl

from shellshocker.

Hello, I'm on Ubuntu 14.04 64 bits and still have the issue.
yann@yann-desktop:$ curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 4782 0 --:--:-- --:--:-- --:--:-- 4779
CVE-2014-6271 (original shellshock): not vulnerable
bash : ligne 16 : 15317 Erreur de segmentation (core dumped) bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
yann@yann-desktop:$

from shellshocker.

if you run the cp /bin/bash /usr/local/bin/bash by yourself, do you still have vunlerability after that ?

from shellshocker.

yann@yann-desktop:~$ cp /bin/bash /usr/local/bin/bash
cp: impossible de créer le fichier standard «/usr/local/bin/bash»: Permission non accordée

from shellshocker.

you can try with sudo cp ...

from shellshocker.

Ok, with sudo : nothing appears after the command :
yann@yann-desktop:$ sudo cp /bin/bash /usr/local/bin/bash
[sudo] password for yann:
yann@yann-desktop:$

from shellshocker.

redo the tests

from shellshocker.

yann@yann-desktop:$ curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 4449 0 --:--:-- --:--:-- --:--:-- 4451
CVE-2014-6271 (original shellshock): not vulnerable
bash : ligne 16 : 2858 Erreur de segmentation (core dumped) bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
yann@yann-desktop:$

from shellshocker.

did you installed build-essential ? You should read the logs during compile or do it by hand by reading the script and reproducing steps in it

from shellshocker.

what is build-essential ? (I am not a pro linux user by the way, I know a little in command line but I've never compiled anything)

from shellshocker.

You must start somewhere heh :)
sudo apt-get install build-essential

from shellshocker.

I've installed it, what does this program do ?

from shellshocker.

it provides the tools to build your bash, try to start again fixbash in sudo

from shellshocker.

yann@yann-desktop:$ sudo fixbash
[sudo] password for yann:
sudo: fixbash: command not found
yann@yann-desktop:$

from shellshocker.

lol I guess you're realy new at using linux :-)
curl https://shellshocker.net/fixbash | sudo sh

from shellshocker.

I use Ubuntu since a few years. but use only basic command line command so far.
yann@yann-desktop:~$ curl https://shellshocker.net/fixbash | sudo sh
[sudo] password for yann: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3562 100 3562 0 0 5540 0 --:--:-- --:--:-- --:--:-- 5539

from shellshocker.

and now you can try to test your bash again

from shellshocker.

yann@yann-desktop:$ curl https://shellshocker.net/shellshock_test.sh | bash % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 4376 0 --:--:-- --:--:-- --:--:-- 4382
CVE-2014-6271 (original shellshock): not vulnerable
bash : ligne 16 : 7592 Erreur de segmentation (core dumped) bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
yann@yann-desktop:$

from shellshocker.

with make patch gcc and build-essential installed ?

from shellshocker.

I don't do "make patch gcc" this was not indicated in your previous answers. If I do it, I get :
yann@yann-desktop:$ make patch gcc
make: *** Pas de règle pour fabriquer la cible « patch ». Arrêt.
yann@yann-desktop:$

from shellshocker.

@ciryon02, that should have been a list "with make, patch, gcc, and build-essential installed" not a command to run. @theonlydoo was just asking you to confirm that the listed tools had all been installed.

from shellshocker.

I've just installed build essential.

from shellshocker.

@ciryon02 you need to install patch make gcc build-essential; then you need to start again the fixbash command line on shellshocker.net. If you have another problem around the compilation, you'll need to wait for the next merge.

from shellshocker.

What do you mean by "install patch make gcc build-essential" ? gcc, make and build-essential are already installed
yann@yann-desktop:$ sudo apt-get install patch make gcc build-essential
[sudo] password for yann:
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
build-essential est déjà la plus récente version disponible.
gcc est déjà la plus récente version disponible.
make est déjà la plus récente version disponible.
patch est déjà la plus récente version disponible.
0 mis à jour, 0 nouvellement installés, 0 à enlever et 1 non mis à jour.
yann@yann-desktop:$

I've also retyped the shellshocket commande line
yann@yann-desktop:$ curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 3666 0 --:--:-- --:--:-- --:--:-- 3671
CVE-2014-6271 (original shellshock): not vulnerable
bash : ligne 16 : 8148 Erreur de segmentation (core dumped) bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
yann@yann-desktop:$

from shellshocker.

did you tryied to curl again the fixbash script ?
curl https://shellshocker.net/fixbash | sh
please try to use markdown so your pastes are a bit more readable ...
https://guides.github.com/features/mastering-markdown/

from shellshocker.

@theonlydoo Hello, I did'nt know about markdowns, I know about bbcode for phbforums but did'nt know the "equivalent" here.
So I ran the script and I am not vulnerable anymore; I just hope that the official Ubuntu update (when it will be available) does not break anything.

yann@yann-desktop:$ curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 4496 0 --:--:-- --:--:-- --:--:-- 4499
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
yann@yann-desktop:$

PS : I used the addr markdown for the code part but it does not seems to be different

from shellshocker.

it wont break anything, you'll juste have to run make clean and install the new package :)

from shellshocker.

oki doki 👍

from shellshocker.