This post will tell you how to install the latest version of Bash on Mac OS X to get rid of the ShellShock vulnerability. You must have admin privileges on your computer to complete this. If you use MacPorts or Homebrew you need to do an update of whichever you use as well. MacPorts and Homebrew have a separate version of Bash besides the one built into your system.
This explains the ShellShock vulnerability:
http://www.bbc.com/news/technology-29361794
Steps to repair:
Step 1:
Install XCode if not already installed from the app store:
https://itunes.apple.com/us/app/xcode/id497799835
Step 2:
Open a terminal window:
https://www.youtube.com/watch?v=zw7Nd67_aFw
Step 3:
sudo env x='() { :;}; echo vulnerable' bash -c 'echo hello'
You will be prompted for an admin password. If you see this you have the vulnerability:
vulnerable
hello
If you see this someone has fixed it for you. No need to proceed:
warning: x: ignoring function definition attempt
error importing function definition for `x'
hello
Step 4:
mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz -k| tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 -k| patch -p0
# Note: The bash23-053 patch does not apply cleanly on OSX because
# of a missing y.tab.c file. This can be ignored or the alblue
# one used instead. Upstream commits the y.tab.c file so doesn't
# have that problem.
# Not-yet-released-patch - replace alblue.bandlem.com line with:
# curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
curl http://alblue.bandlem.com/bash32-053.patch -k| patch -p0
cd ..
sudo xcodebuild
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
build/Release/bash --version # GNU bash, version 3.2.53(1)-release
build/Release/sh --version # GNU bash, version 3.2.53(1)-release
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin
rm -f echo
env X='() { (a)=>\' sh -c "echo date"; cat echo
Step 5:
Update HomeBrew or MacPorts:
HomeBrew:
Copy and paste the courier font one line at a time into the terminal window:
brew update
brew upgrade bash
MacPorts:
Copy and paste the courier font one line at a time into the terminal window:
sudo port selfupdate
sudo port upgrade bash
Step 6:
Be happy this kind of thing rarely happens to Linux and Mac OS.
I got most of the script from the link below but there were a couple of bugs that needed to be fixed:
http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an/146851#146851
No comments:
Post a Comment