2 files here are statically compiled versions of GNU bash, version
4.2.37(1)-release from debian wheezy. (package version
4.2+dfsg-0.1+deb7u3).  There is also a tarball of the up-stream bash
source with post-release patch up to and including patch 27 if you
wish to compile bash from source.


They are patched to avoid:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
https://access.redhat.com/security/cve/CVE-2014-7186
https://access.redhat.com/security/cve/CVE-2014-7187

You should update your system with security patches provided by your
own distro.  In the event that you are using an obsolete or
infrequently updated distro, it is relatively safe to replace your
system's version of bash with these files since they are statically
compiled.  They should run on any computer of the appropriate
architecture.  (Caveat: the i386 version won't really run on an i386,
it should run on an i686 or newer CPU, your mileage may very on
anything in between i386 and i686) You will only have trouble if you
have shell scripts around that depend on implementation quirks
(e.g. bugs) in specific versions of bash.

If you replace /bin/bash, I recommend doing this way:

sudo cp -a /bin/bash /bin/bash-distro
sudo cp APPROPRIATE_VERSION_OF_BASH /bin/bash-static
sudo chown root:root /bin/bash-static
sudo chmod 755 /bin/bash-static

make sure it runs:

/bin/bash-static --version

mv it into position:

sudo mv /bin/bash-static /bin/bash

now make suse your aren't vulnerable to CVE-2014-7169:

env X='() { (a)=>\' /bin/bash -c "echo date"; cat echo

if the next command prints:

/bin/bash: X: line 1: syntax error near unexpected token `='
/bin/bash: X: line 1: `'
/bin/bash: error importing function definition for `X'
/bin/bash: echo: Permission denied
cat: echo: No such file or directory

then you should be fine, if you see the date printed below the error
lines, like:

/bin/bash: X: line 1: syntax error near unexpected token `='
/bin/bash: X: line 1: `'
/bin/bash: error importing function definition for `X'
Thu Sep 25 18:27:55 CDT 2014

You're still in trouble.  You also have a file named 'echo' you should
remove:

rm echo

I recommend keeping the old version of bash around, just in case.  It
should pose no threat if it will not be called by processes running as
privileged or semi-privelaged users.    If you're really paranoid, you
can render it non-exectuble:

sudo chmod 600 /bin/bash-distro

To check for *just* CVE-2014-6271 you can run:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

And see if you print the string 'vulnerable', however the example
command for CVE-2014-7169 will also test for CVE-2014-6271 as well.

There are no trivial tests for:

https://access.redhat.com/security/cve/CVE-2014-7186
https://access.redhat.com/security/cve/CVE-2014-7187

The bash source + patches in this directory are insufficient to
produce a secure bash shell.  The do not address the above two
vulnerabilities.