How do I patch RHEL 4 for the bash vulnerabilities in CVE-2014-6271 and CVE-2014-7169?

Solution 1:

A patch has been provided by Oracle for el4 :

https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.1.el4.src.rpm

https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm

https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.3.el4.src.rpm

https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.el4.src.rpm

As it is a src RPM, you need to compile then rpmbuild.

or use this link to avoid the build

http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.1.el4.i386.rpm

http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.3.el4.i386.rpm

I tested it on a 4.9 i386 system, passed the exploit test I have. (Ted)

Solution 2:

I had to patch an old CentOS 4.9 server, so I pulled the latest source RPM from the Red Hat FTP and added the upstream patch from the GNU FTP. The steps are below:

First, follow the "Setup" procedure from http://bradthemad.org/tech/notes/patching_rpms.php:

echo "%_topdir    /home/$(whoami)/src/rpm" > ~/.rpmmacros
mkdir -p ~/src/rpm/{BUILD,RPMS,SOURCES,SPECS,SRPMS
mkdir -p ~/src/rpm/RPMS/{i386,i486,i586,i686,noarch,athlon}

Then run the following commands from your %_topdir:

cd ~/src/rpm
wget http://ftp.redhat.com/redhat/linux/updates/enterprise/4ES/en/os/SRPMS/bash-3.0-27.el4.src.rpm
rpm -ivh bash-3.0-27.el4.src.rpm
cd SOURCES
wget http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-017
cd ..

Patch SPECS/bash.spec with this diff:

4c4
< Release: 27%{?dist}
---
> Release: 27.2%{?dist}
28a29
> Patch17: bash30-017
110c111,112
< #%patch16 -p0 -b .016
---
> %patch16 -p0 -b .016
> %patch17 -p0 -b .017

Then finish with these commands:

rpmbuild -ba SPECS/bash.spec
sudo rpm -Uvh RPMS/i386/bash-3.0-27.2.i386.rpm

Edit: The latest comments in the Red Hat Bugzilla say the patch is incomplete. The new ID is CVE-2014-7169.

Edit: There are two additional patches from gnu.org, so also download those into the same SOURCES directory:

wget http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-018
wget http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-019

Then also edit the SPECS/bash.spec as follows ("Release" numbering optional):

4c4
< Release: 27%{?dist}
---
> Release: 27.2.019%{?dist}
28a29,31
> Patch17: bash30-017
> Patch18: bash30-018
> Patch19: bash30-019
110c113,116
< #%patch16 -p0 -b .016
---
> %patch16 -p0 -b .016
> %patch17 -p0 -b .017
> %patch18 -p0 -b .018
> %patch19 -p0 -b .019

Solution 3:

RHEL 4 is in it's "extended life" phase and security updates will be only available to paying customers. CentOS 4 is out of support since March 2012. No further updates are available for this since this time.

Your only options are to

  • Buy a support contract with RedHat
  • Try to build your own package for Bash.
  • Or the winning option: Retire this machine and use this security issue as an incentive to do so.

Solution 4:

A kind soul named Lewis Rosenthal has placed updated Bash RPMS for CentOS 4 up on his FTP server. The bash-3.0-27.3 RPM is believed to address CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187. He has a README with more information, and there was some discussion on the CentOS forums. Don't forget this helpful all-in-one check script--note that the CVE-2014-7186 check will fail with a segmentation fault, but it's still believed to be okay, because some other tests for that vulnerability turn up okay.

I would say, either follow @tstaylor7's instructions to build your own patched RPM from source or install the above. When I tried, they both had the same results in that check script.