Last active
August 29, 2015 14:06
-
-
Save matthewberryman/c97addae472db58584a8 to your computer and use it in GitHub Desktop.
Patch OS X for shellshock
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# I'm leaving this here for as a reference, but note the official patches are now out at | |
# http://support.apple.com/kb/DL1767?viewlocale=en_US&locale=en_US (Lion) | |
# http://support.apple.com/kb/DL1768?viewlocale=en_US&locale=en_US (Mountain Lion) | |
# http://support.apple.com/kb/DL1769?viewlocale=en_US&locale=en_US (Mavericks) | |
# Note they only seem to cover up to patch 53, following will get you to patch 54. | |
# Important: don't just download and run this. Read to the end first. | |
# Taken from http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an | |
# but avoids symlinking to homebrew (as that may break things) and also added verification of patch file for good measure. | |
# Test for CVE-2014-6271 | |
env x='() { :;}; echo vulnerable' bash -c 'echo hello' | |
# If vulnerable you will see: | |
# vulnerable | |
# hello | |
# Test for CVE-2014-7169 | |
env -i X='() { (a)=>\' bash -c 'echo date'; cat echo | |
# Will print the date if vulnerable, note that it does this by creating a file called "echo" in the current directory. | |
# To fix the OS X system bash, first run: | |
mkdir bash-fix | |
cd bash-fix | |
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf - | |
cd bash-92/bash-3.2 | |
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 > bash32-052 | |
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 > bash32-053 | |
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 > bash32-054 | |
# If you have gnupg installed, it's a good idea to verify the patch (otherwise skip these next 7 lines): | |
curl ftp://ftp.gnu.org/gnu/gnu-keyring.gpg > gnu-keyring.gpg | |
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052.sig > bash32-052.sig | |
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053.sig > bash32-053.sig | |
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054.sig > bash32-054.sig | |
gpg --verify --keyring ./gnu-keyring.gpg bash32-052.sig | |
gpg --verify --keyring ./gnu-keyring.gpg bash32-053.sig | |
gpg --verify --keyring ./gnu-keyring.gpg bash32-054.sig | |
# Then patch | |
patch -p0 < bash32-052 | |
patch -p0 < bash32-053 | |
patch -p0 < bash32-054 | |
# Then build and install | |
cd .. | |
xcodebuild | |
sudo cp /bin/bash /bin/bash.old | |
sudo cp /bin/sh /bin/sh.old | |
build/Release/bash --version | |
# check output contains: GNU bash, version 3.2.53(1)-release | |
build/Release/sh --version | |
# check output contains: GNU bash, version 3.2.53(1)-release | |
sudo cp build/Release/bash /bin | |
sudo cp build/Release/sh /bin | |
sudo chmod a-x /bin/sh.old /bin/bash.old | |
# If you're using Homebrew-supplied bash: | |
brew update && brew upgrade bash | |
# and/or MacPorts: | |
sudo port selfupdate | |
sudo port upgrade bash | |
# Important to retest: | |
# Test for the bugs | |
env x='() { :;}; echo vulnerable' bash -c 'echo hello' | |
rm -f echo && env -i X='() { (a)=>\' bash -c 'echo date'; cat echo | |
# If you're using multiple copies then test all. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment