Create a gist now

Instantly share code, notes, and snippets.

Patch OS X for shellshock
# I'm leaving this here for as a reference, but note the official patches are now out at
# http://support.apple.com/kb/DL1767?viewlocale=en_US&locale=en_US (Lion)
# http://support.apple.com/kb/DL1768?viewlocale=en_US&locale=en_US (Mountain Lion)
# http://support.apple.com/kb/DL1769?viewlocale=en_US&locale=en_US (Mavericks)
# Note they only seem to cover up to patch 53, following will get you to patch 54.
# Important: don't just download and run this. Read to the end first.
# Taken from http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an
# but avoids symlinking to homebrew (as that may break things) and also added verification of patch file for good measure.
# Test for CVE-2014-6271
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
# If vulnerable you will see:
# vulnerable
# hello
# Test for CVE-2014-7169
env -i X='() { (a)=>\' bash -c 'echo date'; cat echo
# Will print the date if vulnerable, note that it does this by creating a file called "echo" in the current directory.
# To fix the OS X system bash, first run:
mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 > bash32-052
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 > bash32-053
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 > bash32-054
# If you have gnupg installed, it's a good idea to verify the patch (otherwise skip these next 7 lines):
curl ftp://ftp.gnu.org/gnu/gnu-keyring.gpg > gnu-keyring.gpg
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052.sig > bash32-052.sig
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053.sig > bash32-053.sig
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054.sig > bash32-054.sig
gpg --verify --keyring ./gnu-keyring.gpg bash32-052.sig
gpg --verify --keyring ./gnu-keyring.gpg bash32-053.sig
gpg --verify --keyring ./gnu-keyring.gpg bash32-054.sig
# Then patch
patch -p0 < bash32-052
patch -p0 < bash32-053
patch -p0 < bash32-054
# Then build and install
cd ..
xcodebuild
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
build/Release/bash --version
# check output contains: GNU bash, version 3.2.53(1)-release
build/Release/sh --version
# check output contains: GNU bash, version 3.2.53(1)-release
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin
sudo chmod a-x /bin/sh.old /bin/bash.old
# If you're using Homebrew-supplied bash:
brew update && brew upgrade bash
# and/or MacPorts:
sudo port selfupdate
sudo port upgrade bash
# Important to retest:
# Test for the bugs
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
rm -f echo && env -i X='() { (a)=>\' bash -c 'echo date'; cat echo
# If you're using multiple copies then test all.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment