/osx-shellshock-patch.sh
Last active Aug 29, 2015
Patch OS X for shellshock
| # I'm leaving this here for as a reference, but note the official patches are now out at | |
| # http://support.apple.com/kb/DL1767?viewlocale=en_US&locale=en_US (Lion) | |
| # http://support.apple.com/kb/DL1768?viewlocale=en_US&locale=en_US (Mountain Lion) | |
| # http://support.apple.com/kb/DL1769?viewlocale=en_US&locale=en_US (Mavericks) | |
| # Note they only seem to cover up to patch 53, following will get you to patch 54. | |
| # Important: don't just download and run this. Read to the end first. | |
| # Taken from http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an | |
| # but avoids symlinking to homebrew (as that may break things) and also added verification of patch file for good measure. | |
| # Test for CVE-2014-6271 | |
| env x='() { :;}; echo vulnerable' bash -c 'echo hello' | |
| # If vulnerable you will see: | |
| # vulnerable | |
| # hello | |
| # Test for CVE-2014-7169 | |
| env -i X='() { (a)=>\' bash -c 'echo date'; cat echo | |
| # Will print the date if vulnerable, note that it does this by creating a file called "echo" in the current directory. | |
| # To fix the OS X system bash, first run: | |
| mkdir bash-fix | |
| cd bash-fix | |
| curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf - | |
| cd bash-92/bash-3.2 | |
| curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 > bash32-052 | |
| curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 > bash32-053 | |
| curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 > bash32-054 | |
| # If you have gnupg installed, it's a good idea to verify the patch (otherwise skip these next 7 lines): | |
| curl ftp://ftp.gnu.org/gnu/gnu-keyring.gpg > gnu-keyring.gpg | |
| curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052.sig > bash32-052.sig | |
| curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053.sig > bash32-053.sig | |
| curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054.sig > bash32-054.sig | |
| gpg --verify --keyring ./gnu-keyring.gpg bash32-052.sig | |
| gpg --verify --keyring ./gnu-keyring.gpg bash32-053.sig | |
| gpg --verify --keyring ./gnu-keyring.gpg bash32-054.sig | |
| # Then patch | |
| patch -p0 < bash32-052 | |
| patch -p0 < bash32-053 | |
| patch -p0 < bash32-054 | |
| # Then build and install | |
| cd .. | |
| xcodebuild | |
| sudo cp /bin/bash /bin/bash.old | |
| sudo cp /bin/sh /bin/sh.old | |
| build/Release/bash --version | |
| # check output contains: GNU bash, version 3.2.53(1)-release | |
| build/Release/sh --version | |
| # check output contains: GNU bash, version 3.2.53(1)-release | |
| sudo cp build/Release/bash /bin | |
| sudo cp build/Release/sh /bin | |
| sudo chmod a-x /bin/sh.old /bin/bash.old | |
| # If you're using Homebrew-supplied bash: | |
| brew update && brew upgrade bash | |
| # and/or MacPorts: | |
| sudo port selfupdate | |
| sudo port upgrade bash | |
| # Important to retest: | |
| # Test for the bugs | |
| env x='() { :;}; echo vulnerable' bash -c 'echo hello' | |
| rm -f echo && env -i X='() { (a)=>\' bash -c 'echo date'; cat echo | |
| # If you're using multiple copies then test all. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment