{"id":1567,"date":"2014-09-28T09:43:11","date_gmt":"2014-09-28T16:43:11","guid":{"rendered":"http:\/\/joelinoff.com\/blog\/?p=1567"},"modified":"2014-09-28T09:43:11","modified_gmt":"2014-09-28T16:43:11","slug":"bash-script-to-fix-the-shellshock-vulnerability-on-mac-os-x-10-9-5-cve-2014-6271","status":"publish","type":"post","link":"https:\/\/joelinoff.com\/blog\/?p=1567","title":{"rendered":"Bash script to fix the shellshock vulnerability on Mac OS X 10.9.5 (CVE-2014-6271)"},"content":{"rendered":"

This script<\/a> will build and install a new version of bash and sh from source that will fix the bash shellshock vulnerability on Max OS X 10.9.5 until the official patch is released from Apple. It requires the XCode command line tools. If you do not have the XCode command line tools installed, I have made pre-built versions of bash and sh available for download.
\n
\nPlease note that you probably don’t need this patch unless you are running services that expose the vulnerability on an external port.<\/p>\n

Many thanks to this blog for providing the key information: http:\/\/apple.stackexchange.com\/questions\/146849\/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an<\/a> and to Chet Ramey for creating and distributing the patches so quickly.<\/p>\n

Path, Build and Install the Fixed Versions of bash and sh<\/h3>\n

This is how you download the script and use it to install the updates.<\/p>\n

\r\n$ # Download the shell using wget. You can also curl or any other similar tool.\r\n$ wget http:\/\/projects.joelinoff.com\/bash-shellshock\/bash-shellshock-mac.sh\r\n$ chmod a+x bash-shellshock-mac.sh\r\n$ .\/bash-shellshock-mac.sh\r\n[output snipped]\r\n\r\n$ # Verify that the vulnerability was fixed.\r\n$ env x='() { :;}; echo vulnerable' bash -c \"echo bash: shellshock test\"\r\nbash: warning: x: ignoring function definition attempt\r\nbash: error importing function definition for `x'\r\nbash: shellshock test\r\n<\/pre>\n
Download, Verify and Install Pre-Built Versions of bash and sh<\/h3>\n
If you cannot build locally because you do not have the XCode command line tools installed, you can download and install the pre-built versions of bash and sh as follows.<\/p>\n
\r\n$ # Download the pre-built versions.\r\n$ wget http:\/\/projects.joelinoff.com\/bash-shellshock\/bash-mac-3.2.53\r\n$ wget http:\/\/projects.joelinoff.com\/bash-shellshock\/sh-mac-3.2.53\r\n$ chmod a+x bash-mac-3.2.53 sh-mac-3.2.52\r\n\r\n$ # Verify that they have not been tampered with.\r\n$ # If the checksum does NOT match, do not go any further.\r\n$ sum bash-mac-3.2.53\r\n55667 924 bash-mac-3.2.53\r\n$ sum sh-mac-3.2.53\r\n62584 925 sh-mac-3.2.53\r\n\r\n$ # Back up the originals and disable execution.\r\n$ sudo cp \/bin\/bash{,-3.2.51}\r\n$ sudo cp \/bin\/sh{,-3.2.51}\r\n$ chmod a-x \/bin\/bash-3.2.51 \/bin\/sh-3.2.51\r\n\r\n$ # Install.\r\n$ cp bash-mac-3.2.53 \/bin\/bash\r\n$ cp sh-mac-3.2.53 \/bin\/sh\r\n\r\n$ # Verify that they are installed.\r\n$ bash --version\r\nGNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)\r\nCopyright (C) 2007 Free Software Foundation, Inc.\r\n$ sh --version\r\nGNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)\r\nCopyright (C) 2007 Free Software Foundation, Inc.\r\n\r\n$ # Verify that the vulnerability was fixed.\r\n$ env x='() { :;}; echo vulnerable' bash -c \"echo bash: shellshock test\"\r\nbash: warning: x: ignoring function definition attempt\r\nbash: error importing function definition for `x'\r\nbash: shellshock test\r\n<\/pre>\n
Script Contents<\/h3>\n
This is the script. There is nothing fancy. It verifies that the OS version is correct and that the XCode command line tools are installed before downloading the bash source and patches which are then built and installed. Once installed it verifies that the patch worked.<\/p>\n
\r\n#!\/bin\/bash\r\n# CITATION: http:\/\/apple.stackexchange.com\/questions\/146849\/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an\r\nfunction hdr() {\r\n    echo\r\n    echo \"# ================================================================\"\r\n    echo \"# $*\"\r\n    echo \"# ================================================================\"\r\n}\r\n\r\nhdr \"bash shellshock fix for Mac OS X 10.9.5\"\r\n\r\nhdr \"Verify the OS version\"\r\nSWVER=$(sw_vers -productVersion)\r\nif [[ \"${SWVER}\" != \"10.9.5\" ]] ; then\r\n    echo \"ERROR: This script has only been tested on Mac OS X 10.9.5, cannot continue.\"\r\n    exit 1\r\nfi\r\n\r\nhdr \"Verify that xcode command line tools are installed.\"\r\npkgutil --pkg-info=com.apple.pkg.CLTools_Executables\r\nst=$?\r\nif (( $st )) ; then\r\n    echo \"ERROR: This script requires xcode, cannot continue.\"\r\n    exit 1\r\nfi\r\n\r\nif [ ! -f downloads\/bash-92.tar.gz ] ; then\r\n    hdr \"Downloading bash-92.tar.gz\"\r\n    if [ ! -d downloads ] ; then\r\n\tmkdir downloads\r\n    fi\r\n    pushd downloads\r\n    wget --no-check-certificate https:\/\/opensource.apple.com\/tarballs\/bash\/bash-92.tar.gz\r\n    popd\r\n    if [ -d bash-92 ] ; then\r\n        sudo rm -rf bash-92\r\n    fi\r\nfi\r\n\r\nif [ ! -f downloads\/bash32-052 ] ; then\r\n    hdr \"Downloading bash32-052\"\r\n    if [ ! -d downloads ] ; then\r\n\tmkdir downloads\r\n    fi\r\n    pushd downloads\r\n    wget --no-check-certificate https:\/\/ftp.gnu.org\/pub\/gnu\/bash\/bash-3.2-patches\/bash32-052\r\n    popd\r\n    if [ -d bash-92 ] ; then\r\n        sudo rm -rf bash-92\r\n    fi\r\nfi\r\n\r\nif [ ! -f downloads\/bash32-053.patch ] ; then\r\n    hdr \"Downloading bash32-053.patch\"\r\n    if [ ! -d downloads ] ; then\r\n\tmkdir downloads\r\n    fi\r\n    pushd downloads\r\n    wget --no-check-certificate http:\/\/alblue.bandlem.com\/bash32-053.patch\r\n    popd\r\n    if [ -d bash-92 ] ; then\r\n        sudo rm -rf bash-92\r\n    fi\r\nfi\r\n\r\nif [ ! -d bash-92 ] ; then\r\n    hdr \"Patch and build\"\r\n    tar jxf downloads\/bash-92.tar.gz\r\n    cd bash-92\/bash-3.2\r\n    ls -l ..\/..\/downloads\r\n    patch -p0 <..\/..\/downloads\/bash32-052\r\n    patch -p0 <..\/..\/downloads\/bash32-053.patch\r\n    cd ..\r\n    sudo xcodebuild\r\nfi\r\n\r\nif [ ! -f \/bin\/bash-3.2.51 ] ; then\r\n    hdr \"Install bash\"\r\n    sudo cp \/bin\/bash \/bin\/bash-3.2.51\r\n    sudo cp bash-92\/build\/Release\/bash \/bin\/bash-3.2.53\r\n    sudo cp bash-92\/build\/Release\/bash \/bin\/bash\r\n    sudo chmod -x \/bin\/bash-3.2.51\r\nfi\r\n\r\nif [ ! -f \/bin\/sh-3.2.51 ] ; then\r\n    hdr \"Install sh\"\r\n    sudo cp \/bin\/sh \/bin\/sh-3.2.51\r\n    sudo cp bash-92\/build\/Release\/bash \/bin\/sh-3.2.53\r\n    sudo cp bash-92\/build\/Release\/sh \/bin\/sh\r\n    sudo chmod -x \/bin\/sh-3.2.51\r\nfi\r\n\r\nhdr \"Verify\"\r\nwhich bash\r\nbash --version\r\ncat <\n","protected":false},"excerpt":{"rendered":"
This script will build and install a new version of bash and sh from source that will fix the bash shellshock vulnerability on Max OS X 10.9.5 until the official patch is released from Apple. It requires the XCode command line tools. If you do not have the XCode command line tools installed, I have … Continue reading Bash script to fix the shellshock vulnerability on Mac OS X 10.9.5 (CVE-2014-6271)<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[38,16],"tags":[],"_links":{"self":[{"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1567"}],"collection":[{"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1567"}],"version-history":[{"count":23,"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1567\/revisions"}],"predecessor-version":[{"id":1590,"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1567\/revisions\/1590"}],"wp:attachment":[{"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}