How to: Patch OS X / MAC against the Shellshock vulnerability

Posted by:

It may sound complicated when you read the online descriptions, but it's actually very easy!

The latest version, as of this writing, for OS X is 10.9.5 and that is susceptible to the Shellshock vulnerability.

To check your version of Bash, open a Terminal window and run: bash –version

This will probably return this: GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)

 

I just performed the following on my own machines and it works perfectly.

Make sure you copy everything below – easiest is to click the "view raw" link to the bottom right of this Gist-box.

$ # If you want to disable auto-imported functions, uncomment the following
$ # export ADD_IMPORT_FUNCTIONS_PATCH=YES
$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0    
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0  
$ # See note above about ADD_IMPORT_FUNCTIONS_PATCH
$ [ "$ADD_IMPORT_FUNCTIONS_PATCH" == "YES" ] && curl http://alblue.bandlem.com/import_functions.patch | patch -p0
$ [ "$ADD_IMPORT_FUNCTIONS_PATCH" == "YES" ] || curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0
$ cd ..
$ # Note: DO NOT ADD SUDO TO XCODEBUILD HERE
$ xcodebuild
$ build/Release/bash --version # GNU bash, version 3.2.54(1)-release
$ build/Release/sh --version   # GNU bash, version 3.2.54(1)-release
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin

Open a terminal window and paste the following: pbpaste | cut -c 2- | sh

Now you should see it working thru the instructions and eventually you will need to input your password.

 

To verify that everything went according to plan you can verify your bash version again, like above.

This should now return: GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13)

 

Now you beloved Mac is all safe and sound again, but just to be on the safe side you should also prevent use of the previous bash version by issuing the following command in the terminal: sudo chmod a-x /bin/bash.old /bin/sh.old

Done!

 

For more details you can read the following post where I got the above instructions from.

0

Add a Comment