We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

AR# 62584

PetaLinux – Patching BASH From Source to Mitigtate BASH Security Alert CVE-2014-6271 (Shellshock)


In September 2014, Stephane Chazelas discovered the original vulnerability in the BASH shell that allows BASH to execute arbitrary code.

This vulnerability can be used to compromise a BASH-based system and allow an unauthorized user to gain control of the system.

This vulnerability exists in BASH versions 1.03 to 4.3.

Subsequently, engineers at Red Hat discovered additional vulnerabilities.

Patches have been released for BASH 4.3 to mitigate these vulnerabilities.
The following security alerts are considered part of the "shellshock" exploit:
  • CVE-2014-6271
  • CVE-2014-6277
  • CVE-2014-6278
  • CVE-2014-7169
  • CVE-2014-7186
  • CVE-2014-7187
Xilinx currently includes a vulnerable version of BASH in the optional root filesystem packages provided by PetaLinux 2014.2 and prior.
The default shell provided by PetaLinux 2014.2 is based on Almquist shell, which is not currently known to be vulnerable to the shellshock security alerts. 

There are currently no plans to patch the filesystem packages provided by Xilinx.
The instructions below detail how to download and build a patched version of BASH and include it in a users root filesystem.


NOTE: Most of the commands below assume they are being run in a BASH shell. 

If running in a different shell, adapt the commands as appropriate.

Additionally, these instructions are for specifically to build for Zynq (ARM Cortex-A9).

To build for MicroBlaze, you will need to substitute the appropriate architecture string where necessary.


1) Create a new PetaLinux user application inside your PetaLinux project using the command

petalinux-create -t apps -n <name> -p <path_to_project>

Change to this directory.  This is usually located in $PLNX_PROJECT/components/apps/<name>.


2) Create a scratchpad area inside the BASH PLNX application :

mkdir ./target_root/
mkdir ./target_root/bin
mkdir ./bash_build


3) Download and unpack BASH 4.3

cd bash_build
wget ftp://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
tar xvfz ./bash-4.3.tar.gz/


4) Download the BASH 4.3 patches.  

These are the patches the resolve the shellshock vulnerabilities. 

Patches for BASH need to be applied sequentially, they are not cumulative.  

The following command line can be used to automate the download process:

mkdir ./patches
cd ./patches
for i in {1..30}; do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-0$(printf "%02d" $i;); done

Note:  This will download up to 30 patches. 

If there are additional patches available then this upper bound should be increased.


5) Change into the unpacked BASH directory (eg, ./bash-4.3) and apply the patches.

cd ../bash-4.3
for i in {1..30}; do patch -Np0 -i ../patches/bash43-0$(printf "%02d" $i;); done

Note: This will apply up to 30 patches. If there are additional patches available then this upper bound should be increased.

6) Configure the build environment (Note: this step assumes BASH as the host shell below)

export CROSS_COMPILE=arm-xilinx-linux-gnueabi-
ac_cv_sys_restartable_syscalls=yes ac_cv_func_setvbuf_reversed=yes ./configure --build=i386-linux --host=arm-xilinx-linux-gnueabi --enable-readline --prefix=/
make ARCH=arm

7) Move the new BASH binary into the staging area

cp ./bash ../../target_root/bin/
cd ../../target_root/bin
ln s ./bash ./sh

Note:The last command above creates a symbolic link between the sh command and the bash that was built.

8) Update the PetaLinux Application Makefile to allow installation into the root filesystem without re-building

Note: the instructions below were tested with PetaLinux 2014.2.  

For prior releases of PetaLinux, please see (Xilinx Answer 55975)

A) Filename is <PLNX_PROJ>/components/apps/<name>/Makefile 
B) remove all sections except "all:" and "install:"
C) remove "build" from the "all:" tag
D) update .PHONY to be just "install"

Below is an example of a fixed Makefile for the PetaLinux user application: 

$(error "Error: PETALINUX environment variable not set.  Change to the root of your PetaLinux install, and source the settings.sh file")

include apps.common.mk

APP = bash_4.3_patches

# Add any other object files to this list below
APP_OBJS = bash_4.3_patches.o

all: install

.PHONY: install

install: $(APP)

rsync -ar ./target_root/ $(TARGETDIR)/


9) Update the PetaLinux root filesystem configuration to include the user-built BASH application and then build the Linux system as normal.

AR# 62584
Date 10/24/2014
Status Active
Type General Article
  • PetaLinux
  • PetaLinux - 2014.2
Page Bookmarked