Skip to content

Instantly share code, notes, and snippets.

@JonRowe
Last active June 28, 2016 20:26
  • Star 7 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save JonRowe/8f128cbfca40d61547bc to your computer and use it in GitHub Desktop.
Recompile bash to prevent ShellShock, see http://alblue.bandlem.com/2014/09/bash-remote-vulnerability.html
mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
cd ..
xcodebuild
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
build/Release/bash --version # GNU bash, version 3.2.53(1)-release
build/Release/sh --version # GNU bash, version 3.2.53(1)-release
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin
@JonRowe
Copy link
Author

JonRowe commented Sep 26, 2014

Still needs the second patch for the second vulnerability, see: http://seclists.org/oss-sec/2014/q3/702

@jitendravyas
Copy link

@jonowe What are the steps for second patch

@rwebler
Copy link

rwebler commented Sep 26, 2014

Get them here: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an

If you'd already applied the fixes above, do:

cd bash-fix/bash-92/bash-3.2
curl http://alblue.bandlem.com/bash32-053.patch | patch -p0
cd ..
xcodebuild
sudo cp -f build/Release/sh /bin
sudo cp -f build/Release/sh /bin

@JonRowe
Copy link
Author

JonRowe commented Sep 26, 2014

Now updated to use the official gnu patch.

@robzolkos
Copy link

Thanks for this 👍

@caius
Copy link

caius commented Sep 27, 2014

👍💯

@photostu
Copy link

photostu commented Oct 3, 2014

Thanks indeed, compiled and applied no sweat.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment