By now probably all of you heard of the shellshock vulnerability. Just as a small heads-up, I wasn’t able to compile the bash version 4.3 on Mac OSX as the last few patches simply don’t work for me. But here’s how you can compile, test and install version 4.2 on your OSX:
#adopted from an original post (that was deleted) from http://www.linus-neumann.de/2014/09/26/clean-your-mac-from-shellshock-by-updating-bash/ PATCH_COMMAND=patch #No better results with gnu-patch from mac ports -> /opt/local/bin/gpatch #VERSION_TO_COMPILE=4.1 #VERSION_TO_COMPILE_NO_DOT=41 #VERSION_NUMBER_OF_PATCHES=17 VERSION_TO_COMPILE=4.2 VERSION_TO_COMPILE_NO_DOT=42 VERSION_NUMBER_OF_PATCHES=53 #patches starting from 029 don't work for me in version 4.3 #VERSION_TO_COMPILE=4.3 #VERSION_TO_COMPILE_NO_DOT=43 #VERSION_NUMBER_OF_PATCHES=30 echo "* Downloading bash source code" wget --quiet http://ftpmirror.gnu.org/bash/bash-$VERSION_TO_COMPILE.tar.gz tar xzf bash-$VERSION_TO_COMPILE.tar.gz cd bash-$VERSION_TO_COMPILE echo "* Downloading and applying all patches" for i in $(seq -f "%03g" 1 $VERSION_NUMBER_OF_PATCHES); do echo "Downloading and applying patch number $i for bash-$VERSION_TO_COMPILE" wget --quiet http://ftp.gnu.org/pub/gnu/bash/bash-$VERSION_TO_COMPILE-patches/bash$VERSION_TO_COMPILE_NO_DOT-$i $PATCH_COMMAND -p0 < bash$VERSION_TO_COMPILE_NO_DOT-$i #sleep 0.5 done echo "* configuring and building bash binary" sleep 1 ./configure make echo "* writing bash test script" #The following script will only work when your cwd has the bash binary, #so you can execute ./bash #mostly taken from shellshocker.net: cat << EOF > /tmp/tmp-bash-test-file.sh #CVE-2014-6271 echo "* If the following lines contain the word 'vulnerable' your bash is not fixed:" env x='() { :;}; echo vulnerable' ./bash -c "echo no worries so far" #CVE-2014-7169 echo "* If the following lines print the actual date rather than the string 'date' you are vulnerable:" env X='() { ()=>\' ./bash -c "echo date"; cat echo; #unknown echo "* If the following lines contain the word 'vulnerable' your bash is not fixed:" env X=' () { }; echo vulnerable' ./bash -c 'echo no worries so far' #CVE-2014-7186 echo "* If the following lines contain the word 'vulnerable' your bash is not fixed:" ./bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "vulnerable CVE-2014-7186 , redir_stack" #CVE-2014-7187 echo "* If the following lines contain the word 'vulnerable' your bash is not fixed:" (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | ./bash || echo "vulnerable CVE-2014-7187 , word_lineno" #CVE-2014-6278 echo "* If the following lines contain the word 'vulnerable' your bash is not fixed:" shellshocker='() { echo vulnerable; }' ./bash -c shellshocker #CVE-2014-6277 echo "* If the following lines contain the word 'vulnerable' your bash is not fixed:" ./bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable #more tests, probably often testing the same as above, but better safe than sorry echo "* If the following lines contain the word 'vulnerable' your bash is not fixed:" env X='() { _; } >_[$($())] { echo vulnerable; }' ./bash -c : echo "* If the following lines contain the word 'vulnerable' your bash is not fixed:" foo='() { echo vulnerable; }' ./bash -c foo EOF echo "" echo "* Starting a new bash process to check for vulnerabilities" echo "" sleep 1 ./bash /tmp/tmp-bash-test-file.sh echo "" echo "* If the compiled bash binary is not vulnerable, you want to install that binary in your system:" echo "cd bash-$VERSION_TO_COMPILE" echo "sudo make install" echo "sudo mv /bin/bash /bin/old_vulnerable_bash && sudo ln /usr/local/bin/bash /bin/bash"
cheers,
floyd