Posted by Jim Jagielski on Friday, September 26. 2014 in Programming

UPDATED: Sept 29, 2014 with current OSX Bash patch

First of all, when this was first found, we were looking for a cool name... It was found.

Anyway, as noted here []  the shellshock vulnerability is pretty nasty. What's interesting is that, in general, the *BSD variants aren't as vulnerable as *NIX platforms, simply because the default shell on BSD is still the Bourne shell (the "real" sh) and not Bash itself (On Linux and OSX, for example, /bin/sh is either a copy or link to /bin/bash).

Even so, BSD systems are not immune by any stretch of the imagination, since one attack vector is via web-servers and CGI, and it's likely that there are numerous CGI scripts that require/use Bash. So no matter what, patch your systems.

However, as of this writing, Apple has NOT provided any patch for OS X. I'm running 10.9.5 and patched my systems via the below:

$ mkdir bash-new
$ cd bash-new
$ curl | tar xvf -
## If you get a Cert error, add the -k option to curl
$ cd bash-92/bash-3.2
$ curl | patch -p0
$ curl | patch -p0
$ curl | patch -p0
$ cd ..
$ xcodebuild
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ build/Release/bash --version
##GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13)
##Copyright (C) 2007 Free Software Foundation, Inc.
$ build/Release/sh --version
##GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13)
##Copyright (C) 2007 Free Software Foundation, Inc.
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin

The author does not allow comments to this entry


Search for an entry in IMO:

Did not find what you were looking for? Post a comment for an entry or contact us via email!