GNU bash ShellShock bug and how to fix it on OS X

Update: A new bash patch is released as bash-4.3.26. This article is updated to include the new patch.

Recently another UNIX bug broke out: ShellShock bug in GNU bash, the most commonly-used UNIX shell. It allowed arbitrary code execution. which is bad.

Test code, if you want to check:

env "() { ;:}; echo gah" bash -c "echo test"

If you see both gah and test, your system is vulnerable! Read on!

It is fixed in Sep. 24 in GNU upstream versions 3.0.17, 3.1.18, 3.2.52, 4.0.39, 4.1.12, 4.2.48 and 4.3.25 but it need time to propagate to your favourite Linux distribution. Given the nature of this bug, this will happen fast.

For those who use OS X, this probably will never happen, so you need to close it yourself on OS X, by upgrading your bash shell. I prefer closing vulnerbilities using the latest version of affected software, so I will grab and install bash-4.3.25.

OS X actually have two copies of bash installed, /bin/sh and /bin/bash. We need to replace both.

First you need to get the tools: Xcode. It is free on App Store but it does take up ~2.5GB of space. Or if you are willing to register as an Apple Developer (which is free) you can get the Xcode Command Line Tools package which is just a bit above 150MB.

Then you need to get the source code for bash-4.3 and all patches. Do this in your terminal:

curl http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz | tar xz
mkdir -p bash-patches; cd bash-patches
for each in {1..26}; do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf %03u $each); done

And apply all the patches

cd ../bash-4.3
for each in ../bash-patches/*; do patch -p 0 < $each; done

Then we can start compiling. Remember on OS X there is no GCC, so we need to force the package compiling to use clang. Also we need to put it in /usr/bin for now as it generates more binary than bash-3.2 used to do:

CC=clang CXX=clang++ ./configure --prefix=/usr
make -j8
sudo make install

And finally, replace both bash-3.2 binaries:

sudo mv /usr/bin/bash /bin/bash
sudo ln -sf bash /bin/sh

Then start using the new, no-longer-vulnerable bash-4.3.25:

exec bash -l

Happy hardening your OS X 🙂

Leave a Reply