WingNews logo WingNews GitHub [2]
top | item 8385574

OS X Bash Update 1.0

247 points| 0x0 | 11 years ago |support.apple.com | reply

155 comments

order
[+] Titanous|11 years ago|reply
With the update installed:

  $ curl -s https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck | bash
  Not vulnerable to CVE-2014-6271 (original shellshock)
  Not vulnerable to CVE-2014-7169 (taviso bug)
  bash: line 18: 14885 Segmentation fault: 11  bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
  Vulnerable to CVE-2014-7186 (redir_stack bug)
  Test for CVE-2014-7187 not reliable without address sanitizer
  Variable function parser inactive, likely safe from unknown parser bugs
[+] orblivion|11 years ago|reply
I'm sorry for being snarky, but something seems funny to me about piping something straight from github through bash to check for a security flaw.
[+] scintill76|11 years ago|reply
"Variable function parser inactive" -- interesting, did they apply the unofficial patch to namespace-prefix function definitions? This poster[0] seems to not have it, though. Who is right? The test at that github link seems a bit sketchy, by using a simple name like "a" instead of, say, __test_bashbug_a, and not checking the output very thoroughly. But it seems like it would fail the other way if there's a command named "a" in OS X's PATH...

https://news.ycombinator.com/item?id=8385819

[+] jonahx|11 years ago|reply
How can I patch the bugs that are listed as still vulnerable?
[+] MaysonL|11 years ago|reply
From Yosemite GM candidate:

Not vulnerable to CVE-2014-6271 (original shellshock)

Not vulnerable to CVE-2014-7169 (taviso bug)

Not vulnerable to CVE-2014-7186 (redir_stack bug)

Test for CVE-2014-7187 not reliable without address sanitizer

Variable function parser inactive, likely safe from unknown parser bugs

[+] gphil|11 years ago|reply
I just reproduced this on 10.9.5 as well.
[+] ten7|11 years ago|reply
Also reproduced on 10.9.5 -- you would think that there's sometone at Apple looking at this forum and at hannob's bashcheck and that it would get tested. I guess there will be a 1.1 version of the update soon?
[+] dewey|11 years ago|reply
Is there a reason why this is not coming via the regular software update? I don't think a lot of people are watching Apple's support pages for updates.
[+] jdnier|11 years ago|reply
It also seems positively weird that Apple's support pages and this security update aren't delivered via https.
[+] adrianN|11 years ago|reply
It is coming with the regular update for me.
[+] pudquick|11 years ago|reply
Do note:

This addresses CVE-2014-6271 and CVE-2014-7169 only. There are currently 6 CVEs listed on the Wikipedia page (not sure which are accurate): http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#S...

Some protection is better than none and I'm glad to see Apple rapidly responding. But this doesn't fix all the issues known to exist currently.

[+] simme_|11 years ago|reply 

  > I'm glad to see Apple rapidly responding
It seems we have different expectations concerning the term rapid...
[+] saidajigumi|11 years ago|reply
> But this doesn't fix all the issues known to exist currently.

Apple's certainly gotten a late start, but the "1.0" part of the update's name speaks to an expectation that this isn't the end of the line here.

[+] bullfight|11 years ago|reply
Just a heads up this page and the url download are over http, the https pages are totally broken. https://support.apple.com/kb/HT1222
[+] X-Istence|11 years ago|reply
The .pkg is signed, otherwise it won't run (unless you have disabled that feature, in which case you are driving around without seatbelts anyway)
[+] porsupah|11 years ago|reply
For anyone curious, the package installer will refuse to run on Yosemite, declaring it requires OS X 10.9.

(Of peripheral interest, whilst checking in the iOS Dev Center, I noticed there's a beta of iOS 8.1)

[+] xyclos|11 years ago|reply
yeah, despite the statement: "OS X Mavericks v10.9.5 or later"
[+] alblue|11 years ago|reply
Note that Apple has not provided updates for older systems. If you have an older system and wish to patch, I have been keeping my blog post [1] updated along with the canonical StackExchange answer [2].

Note that the patch from Apple allows bash functions to be escaped, albeit with a BASH_FUNC prefix - but you can get around this by using:

$ env '__BASH_FUNC<ls>()'="() { echo Game Over; }" bash -c ls

Game Over

[1] http://alblue.bandlem.com/2014/09/bash-remote-vulnerability....

[2] http://apple.stackexchange.com/questions/146849/

[+] tonteldoos|11 years ago|reply
Any reason this is not showing up in the App Store Updates page? (sorry, I'm still getting my head around OS X...)
[+] aspHax0|11 years ago|reply
It'll take some time before it shows up, but it should eventually (hopefully by tonight or tomorrow morning).
[+] Zarel|11 years ago|reply
There appear to be updates for 10.9, 10.8, and 10.7, but I can't seem to find one for 10.10 (and yes, 10.10 beta 3 is vulnerable).

I guess us Yosemite users will have to wait for the next beta...

[+] unspecified|11 years ago|reply
Hmph, the other thread fell off the front page, but:

There is a handy zsh script (zsh is in /bin on OSX by default) to get the Bash tarball from opensource.apple.com, apply patches 52, 53, and 54 from ftp.gnu.org, build it, and then prompt to replace /bin/bash and /bin/sh. Xcode is required, and you have to run "sudo xcodebuild" once to accept the EULA.

https://github.com/tjluoma/bash-fix

This is the easiest way I've found to patch the system-level /bin/bash AND /bin/sh binaries.

[+] kazazes|11 years ago|reply
Disconcertingly, this doesn't show up in Software Update on my machine running 10.10, but that may be because I'm on the beta. Is this being pushed to the App Store/Software Update for OS' < 10.10?

(For those wondering, the 10.9 installer does not run on 10.10)

[+] pflats|11 years ago|reply
Are you running a public-facing Apache server on the beta?

I wouldn't call it disconcerting that they're focusing their resources on released versions of OS X. I'd rather they cover the other CVEs sooner and ship 10.10.0 with no issues[1] when it's done than divert engineering resources to ship a patch for Yosemite.

[1] bash-related issues, at least. Apple's .0 track record speaks for itself.

[+] sigzero|11 years ago|reply
10.10 isn't out yet. It's BETA. So that is a reasonable expectation.
[+] brynmathias|11 years ago|reply
Word of warning, if you have chmod 0000 /bin/bash put it back to how you found it before running the update.

If you didn't do this: cmd + s to boot in safe mode. /sbin/mount -wu / and chmod bash back to a useable state, if you get stuck at log in.

[+] bstream|11 years ago|reply 

  (master) $ echo $BASH_VERSION 
  4.3.27(1)-release

  (master) $ ./bashcheck
  Not vulnerable to CVE-2014-6271 (original shellshock)
  Not vulnerable to CVE-2014-7169 (taviso bug)
  ./bashcheck: line 18:  7675 Segmentation fault: 11  bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
  Vulnerable to CVE-2014-7186 (redir_stack bug)
  Test for CVE-2014-7187 not reliable without address sanitizer
  Variable function parser inactive, likely safe from unknown parser bugs
It seems as though there is no patch that fixes CVE-2014-7186 yet?
[+] thebiglebrewski|11 years ago|reply
Wait, so can anyone tell me what the risk is if you don't apply this update?
[+] k_roy|11 years ago|reply
I may be wrong here, but I'm pretty sure as long as you aren't running any network services, you are probably ok.

This is a big deal because it's remotely exploitable. But it's only exploitable remotely if you are running a network daemon that somehow invokes bash and sets environment variables without sanitization. Web sharing, SSH in some instances, a few MTAs.

The average user PROBABLY isn't running a daemon that is vulnerable. Though in some cases, you may be and not know it (like if you had turned on Web Sharing at some point)

All of this is not to say that if you can apply the patch, do it.

[+] __david__|11 years ago|reply
Most likely nothing. You probably aren't running a web server that shells out to do CGI or something else. Macs don't use shell to do their network config. Those are the 2 biggies in the Linux world right now.

Basically to be vulnerable requires 2 components:

   1. You have to be able to get some remote user specified stuff into a environment variable.

   2. You have to invoke /bin/sh (calls to system(3)[1] do this, as well as actual shell scripts).
If you just have a non-server mac, there's no huge rush--no one has identified an actual stock service/daemon that is susceptible to the vulnerability.

[1] "man 3 system"

[+] prawn|11 years ago|reply
And what if my bash has been moved?
[+] gnarbarian|11 years ago|reply
Unauthorized remote code execution. ... so pretty much worst case scenario
[+] tehwalrus|11 years ago|reply 

    System Requirements
    OS X Mavericks v10.9.5 or later
so, they're not updating older machines? My partner still runs Snow Leopard 10.6.8!
[+] tehwalrus|11 years ago|reply
...downvote a bit unfair, surely, the patch is trivial to release for all versions (since Bash hasn't been updated across them, IIRC).
[+] mjcohen|11 years ago|reply
Worked on my Lion MacBook Pro. Went to the terminal which previously said "vulnerable", redid the command, now ok.