Kroko Just another WordPress weblog

September 26, 2014

How do I recompile Bash on MacOSX to avoid Shellshock (the remote exploit CVE-2014-6271 and CVE-2014-7169)?

Filed under: Uncategorized — admin @ 10:52 am

System Binaries

OS X 10.9.5 (the latest stable release at the moment) ships with Bash v3.2.51:

$ bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
You can obtain and recompile Bash as follows, providing that you have Xcode installed:

$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0    
$ cd ..
$ xcodebuild
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin

After this, the Bash version should be v3.2.52:

$ bash --version
GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

Now check new bash:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Comments (0)

No Comments »

No comments yet.

RSS feed for comments on this post.

Kroko Just another WordPress weblog

September 26, 2014

How do I recompile Bash on MacOSX to avoid Shellshock (the remote exploit CVE-2014-6271 and CVE-2014-7169)?

System Binaries

No Comments »

Leave a comment