How I patched the GNU BASH Shellshock bug on Ubuntu 8.04 (Hardy Heron)

    Why Bother With Such An Old Version of Ubuntu?

    Ubuntu 8.04 (Hardy Heron) has been “end of life” for some years now. But had a really old box sitting around and I did not want upgrade it to a newer version of Ubuntu because that would break other software on that machine. The best way is always to upgrade your software but in this case I just could not.

    On the other hand, the shellshock bug in BASH is a very scary thing and I did not want to have such a vulnerability on any of my machines.

    How Did You Do It?

    This is a rough script of the things I did on my old Ubuntu box to compile and install a patched version of bash. If you want to repeat the steps on another Debian-based distribution that is out of life, you may need to slightly change some of the steps.

    First, I installed the necessary build tools:

    apt-get install build-essential bison texinfo debhelper texi2html texlive-latex-base
    

    Then I made sure that these two lines were in /etc/apt/sources.list

    deb http://old-releases.ubuntu.com/ubuntu hardy main restricted universe
    deb-src http://old-releases.ubuntu.com/ubuntu hardy main restricted universe
    

    and then I created a directory in my root-users home directory and installed the package sources there:

    mkdir -p /root/src
    cd /root/src
    apt-get update
    apt-get source bash
    

    Then I changed into the source code directory for the package where the package maintainer keeps all the patches:

    cd bash-3.2/debian/patches
    

    This directory contains all the patches. The version that comes with Ubuntu 8.04 contains the patches bash32-001 to bash32-039. On the GNU.org FTP server on the other hand, there are the additional patches bash32-040 to bash32-053. Only the last two patches contain fixes for the dreaded shellshock bug, but why not install all the other patches as well, why we are at it?

    So I wrote a short list of bash commands that would import the fresh patches from the GNU.org FTP-Server and create the needed .dpatch-Files for me:

    for i in `seq 40 53` ; do sed -e "s/<your description>/bash-3.2 upstream patch bash32-0$i/g" template.dpatch > bash32-0$i.dpatch ; done
    for i in `seq 40 53` ; do sed -i -e 's/\-p1/\-p0/g' bash32-0$i.dpatch ; done
    for i in `seq 40 53` ; do echo "" >> bash32-0$i.dpatch ; done
    for i in `seq 40 53` ; do wget http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-0$i ; done
    for i in `seq 40 53` ; do cat bash32-0$i >> bash32-0$i.dpatch ; rm bash32-0$i ; done
    

    Then we need to add all the patches to the file bash-3.2/debian/rules

    Next I extended the list of patches with the new patches by adding these lines to the variable debian_patches, right after bash32-039:

    bash32-040 \
    bash32-041 \
    bash32-042 \
    bash32-043 \
    bash32-044 \
    bash32-045 \
    bash32-046 \
    bash32-047 \
    bash32-048 \
    bash32-049 \
    bash32-050 \
    bash32-051 \
    bash32-052 \
    bash32-053 \
    

    Then all I needed to do is switch to the higher-level directory and build the package.

    cd ..
    dpkg-buildpackage -us -uc
    

    and wait (the -us and -uc stands for unsigned and uncertified). After completing the compilation process, the finished files are stored on directory one level higher up, so

    cd ..
    dpkg -i bash_3.2-0ubuntu18_i386.deb
    

    installs the patched version of bash into your system.

    And that’s it.

    Can I Download Your DEB-Package?

    Sure, but I can only make the i386 package available and it is not really a good idea to trust some random guy on the Internet with your server’s security.

    But anyway, there you go: bash_3.2-0ubuntu18_i386.deb