Patch OS X for shellshock
# I'm leaving this here for as a reference, but note the official patches are now out at | |
# http://support.apple.com/kb/DL1767?viewlocale=en_US&locale=en_US (Lion) | |
# http://support.apple.com/kb/DL1768?viewlocale=en_US&locale=en_US (Mountain Lion) | |
# http://support.apple.com/kb/DL1769?viewlocale=en_US&locale=en_US (Mavericks) | |
# Note they only seem to cover up to patch 53, following will get you to patch 54. | |
# Important: don't just download and run this. Read to the end first. | |
# Taken from http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an | |
# but avoids symlinking to homebrew (as that may break things) and also added verification of patch file for good measure. | |
# Test for CVE-2014-6271 | |
env x='() { :;}; echo vulnerable' bash -c 'echo hello' | |
# If vulnerable you will see: | |
# vulnerable | |
# hello | |
# Test for CVE-2014-7169 | |
env -i X='() { (a)=>\' bash -c 'echo date'; cat echo | |
# Will print the date if vulnerable, note that it does this by creating a file called "echo" in the current directory. | |
# To fix the OS X system bash, first run: | |
mkdir bash-fix | |
cd bash-fix | |
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf - | |
cd bash-92/bash-3.2 | |
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 > bash32-052 | |
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 > bash32-053 | |
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 > bash32-054 | |
# If you have gnupg installed, it's a good idea to verify the patch (otherwise skip these next 7 lines): | |
curl ftp://ftp.gnu.org/gnu/gnu-keyring.gpg > gnu-keyring.gpg | |
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052.sig > bash32-052.sig | |
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053.sig > bash32-053.sig | |
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054.sig > bash32-054.sig | |
gpg --verify --keyring ./gnu-keyring.gpg bash32-052.sig | |
gpg --verify --keyring ./gnu-keyring.gpg bash32-053.sig | |
gpg --verify --keyring ./gnu-keyring.gpg bash32-054.sig | |
# Then patch | |
patch -p0 < bash32-052 | |
patch -p0 < bash32-053 | |
patch -p0 < bash32-054 | |
# Then build and install | |
cd .. | |
xcodebuild | |
sudo cp /bin/bash /bin/bash.old | |
sudo cp /bin/sh /bin/sh.old | |
build/Release/bash --version | |
# check output contains: GNU bash, version 3.2.53(1)-release | |
build/Release/sh --version | |
# check output contains: GNU bash, version 3.2.53(1)-release | |
sudo cp build/Release/bash /bin | |
sudo cp build/Release/sh /bin | |
sudo chmod a-x /bin/sh.old /bin/bash.old | |
# If you're using Homebrew-supplied bash: | |
brew update && brew upgrade bash | |
# and/or MacPorts: | |
sudo port selfupdate | |
sudo port upgrade bash | |
# Important to retest: | |
# Test for the bugs | |
env x='() { :;}; echo vulnerable' bash -c 'echo hello' | |
rm -f echo && env -i X='() { (a)=>\' bash -c 'echo date'; cat echo | |
# If you're using multiple copies then test all. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment