in macosx bash vulnerability CVE-2014-6271 ~ read.

Bash remote vulnerability fix for Mac Os users

As you may heard, there's a critical vulnerability found in bash recently. According to CSO

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

You can determine if you are vulnerable to the original problem in CVE-2014-6271 by executing this test:

$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

The above output is an example of a non-vulnerable bash version. If you see the word vulnerable in the output of that command your bash is vulnerable and you should update.

There's one more way of checking vulnerability of your bash after an update to the original post

env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu 25 Sep 2014 08:50:18 BST

An official patch has not yet been released but a work-in-progress patch is visible on the mailing list

To fix this on your Macs, you need to follow this simple steps :

mkdir bash-fix
cd bash-fix
curl | tar zxf -
cd bash-92/bash-3.2
curl | patch -p0    
cd ..
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
build/Release/bash --version # GNU bash, version 3.2.52(1)-release
build/Release/sh --version   # GNU bash, version 3.2.52(1)-release
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin

After this, the Bash version should be v3.2.52:

GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

For security, and after testing, I recommend that you chmod -x the old versions to ensure they aren't re-used.

sudo chmod a-x /bin/bash.old /bin/sh.old

I'm using brew for installing linux software on my mac. For people who also use brew, steps are even simpler :

brew update
brew upgrade bash

After this my bash version looks like this :

~  bash --version
GNU bash, version 4.3.25(1)-release (x86_64-apple-darwin13.4.0)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>

Note that this still leaves you with a vulnerable system bash, updating the Homebrew bash is in addition to patching the system bash as described above.

For Macports users steps are very simple as well :

sudo port self update
sudo port upgrade bash

Still, in case with Macports bash usage, you need to update system bash to be sure.

comments powered by Disqus
comments powered by Disqus