Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Patch OS X for shellshock
# I'm leaving this here for as a reference, but note the official patches are now out at
# http://support.apple.com/kb/DL1767?viewlocale=en_US&locale=en_US (Lion)
# http://support.apple.com/kb/DL1768?viewlocale=en_US&locale=en_US (Mountain Lion)
# http://support.apple.com/kb/DL1769?viewlocale=en_US&locale=en_US (Mavericks)
# Note they only seem to cover up to patch 53, following will get you to patch 54.
# Important: don't just download and run this. Read to the end first.
# Taken from http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an
# but avoids symlinking to homebrew (as that may break things) and also added verification of patch file for good measure.
# Test for CVE-2014-6271
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
# If vulnerable you will see:
# vulnerable
# hello
# Test for CVE-2014-7169
env -i X='() { (a)=>\' bash -c 'echo date'; cat echo
# Will print the date if vulnerable, note that it does this by creating a file called "echo" in the current directory.
# To fix the OS X system bash, first run:
mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 > bash32-052
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 > bash32-053
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 > bash32-054
# If you have gnupg installed, it's a good idea to verify the patch (otherwise skip these next 7 lines):
curl ftp://ftp.gnu.org/gnu/gnu-keyring.gpg > gnu-keyring.gpg
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052.sig > bash32-052.sig
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053.sig > bash32-053.sig
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054.sig > bash32-054.sig
gpg --verify --keyring ./gnu-keyring.gpg bash32-052.sig
gpg --verify --keyring ./gnu-keyring.gpg bash32-053.sig
gpg --verify --keyring ./gnu-keyring.gpg bash32-054.sig
# Then patch
patch -p0 < bash32-052
patch -p0 < bash32-053
patch -p0 < bash32-054
# Then build and install
cd ..
xcodebuild
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
build/Release/bash --version
# check output contains: GNU bash, version 3.2.53(1)-release
build/Release/sh --version
# check output contains: GNU bash, version 3.2.53(1)-release
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin
sudo chmod a-x /bin/sh.old /bin/bash.old
# If you're using Homebrew-supplied bash:
brew update && brew upgrade bash
# and/or MacPorts:
sudo port selfupdate
sudo port upgrade bash
# Important to retest:
# Test for the bugs
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
rm -f echo && env -i X='() { (a)=>\' bash -c 'echo date'; cat echo
# If you're using multiple copies then test all.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.