Skip to content

Instantly share code, notes, and snippets.

@JonRowe

JonRowe/bash-fix.sh

Last active Jun 28, 2016
Embed
What would you like to do?
Recompile bash to prevent ShellShock, see http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html
mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
cd ..
xcodebuild
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
build/Release/bash --version # GNU bash, version 3.2.53(1)-release
build/Release/sh --version # GNU bash, version 3.2.53(1)-release
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin
@JonRowe

This comment has been minimized.

Copy link
Owner Author

@JonRowe JonRowe commented Sep 26, 2014

Still needs the second patch for the second vulnerability, see: http://seclists.org/oss-sec/2014/q3/702

@jitendravyas

This comment has been minimized.

Copy link

@jitendravyas jitendravyas commented Sep 26, 2014

@jonowe What are the steps for second patch

@rwebler

This comment has been minimized.

Copy link

@rwebler rwebler commented Sep 26, 2014

Get them here: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an

If you'd already applied the fixes above, do:

cd bash-fix/bash-92/bash-3.2
curl http://alblue.bandlem.com/bash32-053.patch | patch -p0
cd ..
xcodebuild
sudo cp -f build/Release/sh /bin
sudo cp -f build/Release/sh /bin
@JonRowe

This comment has been minimized.

Copy link
Owner Author

@JonRowe JonRowe commented Sep 26, 2014

Now updated to use the official gnu patch.

@robzolkos

This comment has been minimized.

Copy link

@robzolkos robzolkos commented Sep 27, 2014

Thanks for this 👍

@caius

This comment has been minimized.

Copy link

@caius caius commented Sep 27, 2014

👍💯

@photostu

This comment has been minimized.

Copy link

@photostu photostu commented Oct 3, 2014

Thanks indeed, compiled and applied no sweat.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment