matthewberryman/osx-shellshock-patch.sh

## osx-shellshock-patch.sh
# I'm leaving this here for as a reference, but note the official patches are now out at
# http://support.apple.com/kb/DL1767?viewlocale=en_US&locale=en_US (Lion)
# http://support.apple.com/kb/DL1768?viewlocale=en_US&locale=en_US (Mountain Lion)
# http://support.apple.com/kb/DL1769?viewlocale=en_US&locale=en_US (Mavericks)
# Note they only seem to cover up to patch 53, following will get you to patch 54.

# Important: don't just download and run this. Read to the end first.
# Taken from http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an
# but avoids symlinking to homebrew (as that may break things) and also added verification of patch file for good measure.

# Test for CVE-2014-6271
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
# If vulnerable you will see:
# vulnerable
# hello

# Test for CVE-2014-7169
env -i X='() { (a)=>\' bash -c 'echo date'; cat echo
# Will print the date if vulnerable, note that it does this by creating a file called "echo" in the current directory.

# To fix the OS X system bash, first run:
mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 > bash32-052
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 > bash32-053
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 > bash32-054
# If you have gnupg installed, it's a good idea to verify the patch (otherwise skip these next 7 lines):
curl ftp://ftp.gnu.org/gnu/gnu-keyring.gpg > gnu-keyring.gpg
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052.sig > bash32-052.sig
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053.sig > bash32-053.sig
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054.sig > bash32-054.sig
gpg --verify --keyring ./gnu-keyring.gpg bash32-052.sig
gpg --verify --keyring ./gnu-keyring.gpg bash32-053.sig
gpg --verify --keyring ./gnu-keyring.gpg bash32-054.sig

# Then patch
patch -p0 < bash32-052
patch -p0 < bash32-053
patch -p0 < bash32-054

# Then build and install
cd ..
xcodebuild
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
build/Release/bash --version
# check output contains: GNU bash, version 3.2.53(1)-release
build/Release/sh --version
# check output contains: GNU bash, version 3.2.53(1)-release
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin
sudo chmod a-x /bin/sh.old /bin/bash.old

# If you're using Homebrew-supplied bash:
brew update && brew upgrade bash

# and/or MacPorts:
sudo port selfupdate
sudo port upgrade bash

# Important to retest:
# Test for the bugs
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
rm -f echo && env -i X='() { (a)=>\' bash -c 'echo date'; cat echo
# If you're using multiple copies then test all.
	# I'm leaving this here for as a reference, but note the official patches are now out at
	# http://support.apple.com/kb/DL1767?viewlocale=en_US&locale=en_US (Lion)
	# http://support.apple.com/kb/DL1768?viewlocale=en_US&locale=en_US (Mountain Lion)
	# http://support.apple.com/kb/DL1769?viewlocale=en_US&locale=en_US (Mavericks)
	# Note they only seem to cover up to patch 53, following will get you to patch 54.

	# Important: don't just download and run this. Read to the end first.
	# Taken from http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an
	# but avoids symlinking to homebrew (as that may break things) and also added verification of patch file for good measure.

	# Test for CVE-2014-6271
	env x='() { :;}; echo vulnerable' bash -c 'echo hello'
	# If vulnerable you will see:
	# vulnerable
	# hello

	# Test for CVE-2014-7169
	env -i X='() { (a)=>\' bash -c 'echo date'; cat echo
	# Will print the date if vulnerable, note that it does this by creating a file called "echo" in the current directory.

	# To fix the OS X system bash, first run:
	mkdir bash-fix
	cd bash-fix
	curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz \| tar zxf -
	cd bash-92/bash-3.2
	curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 > bash32-052
	curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 > bash32-053
	curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 > bash32-054
	# If you have gnupg installed, it's a good idea to verify the patch (otherwise skip these next 7 lines):
	curl ftp://ftp.gnu.org/gnu/gnu-keyring.gpg > gnu-keyring.gpg
	curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052.sig > bash32-052.sig
	curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053.sig > bash32-053.sig
	curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054.sig > bash32-054.sig
	gpg --verify --keyring ./gnu-keyring.gpg bash32-052.sig
	gpg --verify --keyring ./gnu-keyring.gpg bash32-053.sig
	gpg --verify --keyring ./gnu-keyring.gpg bash32-054.sig

	# Then patch
	patch -p0 < bash32-052
	patch -p0 < bash32-053
	patch -p0 < bash32-054

	# Then build and install
	cd ..
	xcodebuild
	sudo cp /bin/bash /bin/bash.old
	sudo cp /bin/sh /bin/sh.old
	build/Release/bash --version
	# check output contains: GNU bash, version 3.2.53(1)-release
	build/Release/sh --version
	# check output contains: GNU bash, version 3.2.53(1)-release
	sudo cp build/Release/bash /bin
	sudo cp build/Release/sh /bin
	sudo chmod a-x /bin/sh.old /bin/bash.old

	# If you're using Homebrew-supplied bash:
	brew update && brew upgrade bash

	# and/or MacPorts:
	sudo port selfupdate
	sudo port upgrade bash

	# Important to retest:
	# Test for the bugs
	env x='() { :;}; echo vulnerable' bash -c 'echo hello'
	rm -f echo && env -i X='() { (a)=>\' bash -c 'echo date'; cat echo
	# If you're using multiple copies then test all.