
OS X Bash Update 1.0 - 0x0
http://support.apple.com/kb/DL1769
======
Titanous
With the update installed:

    
    
      $ curl -s https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck | bash
      Not vulnerable to CVE-2014-6271 (original shellshock)
      Not vulnerable to CVE-2014-7169 (taviso bug)
      bash: line 18: 14885 Segmentation fault: 11  bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
      Vulnerable to CVE-2014-7186 (redir_stack bug)
      Test for CVE-2014-7187 not reliable without address sanitizer
      Variable function parser inactive, likely safe from unknown parser bugs

~~~
orblivion
I'm sorry for being snarky, but something seems funny to me about piping
something straight from github through bash to check for a security flaw.

~~~
peteretep
Why does piping commands in to bash from the internet take on a magical
security significance for people who run software they haven't audited
literally all the time?

~~~
zorpner
In the case of a network interruption, a command could become truncated with
potentially destructive results.

~~~
hetman
That would result in a broken pipe and the command being aborted. We're not
dumping raw datagrams here...

~~~
0x0
[https://news.ycombinator.com/item?id=8385374](https://news.ycombinator.com/item?id=8385374)

------
0x0
Also for 10.8:
[http://support.apple.com/kb/DL1768](http://support.apple.com/kb/DL1768)

And for 10.7:
[http://support.apple.com/kb/DL1767](http://support.apple.com/kb/DL1767)

Edit: Further information from the announcement is available here:
[http://lists.apple.com/archives/security-
announce/2014/Sep/m...](http://lists.apple.com/archives/security-
announce/2014/Sep/msg00001.html)

------
dewey
Is there a reason why this is not coming via the regular software update? I
don't think a lot of people are watching Apple's support pages for updates.

~~~
pudquick
This information was released in an Apple mailing list:
[http://lists.apple.com/archives/security-
announce/2014/Sep/m...](http://lists.apple.com/archives/security-
announce/2014/Sep/msg00001.html)

The direct download pages are published first. It should be showing up on the
update servers shortly.

~~~
acdha
It's still currently not showing up 16 hours later. I'm starting to wonder
whether they're working on an updated version using one of the improved
patches.

------
pudquick
Do note:

This addresses CVE-2014-6271 and CVE-2014-7169 only. There are currently 6
CVEs listed on the Wikipedia page (not sure which are accurate):
[http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#S...](http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#Subsequent_reports)

Some protection is better than none and I'm glad to see Apple rapidly
responding. But this doesn't fix all the issues known to exist currently.

~~~
simme_

      > I'm glad to see Apple rapidly responding
    

It seems we have different expectations concerning the term rapid...

~~~
pudquick
Disclosure was on the 24th, today is the 29th. The patch had to be developed
in-between (released on the 26th I think?).

3-5 days is pretty decent considering that the DHCP stack on OS X isn't
vulnerable and only customers that had enabled the apache2 instance _and_
configured it with non-default mods were possibly affected.

More often than not Apple is removing GPL code from OS X altogether in the
face of issues (example: samba is now replaced with 'smbx' in-house
implementation).

I felt it was 50/50 that they'd update it vs. remove/disable it.

~~~
eridius
Kind of hard to remove Bash when it's the default shell and a great many
scripts have been written targeting Bash features. Sure, there are other sh-
compatible shells, but AFAIK they aren't 100% compatible with Bash.

Edit: If you disagree with me, please reply instead of downvoting.

~~~
dangerlibrary
Let's hope they aren't 100% compatible!

~~~
eridius
Heh, true. I almost wrote "bug-for-bug compatible", but realized how foolish
that would be.

------
bullfight
Just a heads up this page and the url download are over http, the https pages
are totally broken.
[https://support.apple.com/kb/HT1222](https://support.apple.com/kb/HT1222)

~~~
X-Istence
The .pkg is signed, otherwise it won't run (unless you have disabled that
feature, in which case you are driving around without seatbelts anyway)

------
porsupah
For anyone curious, the package installer will refuse to run on Yosemite,
declaring it requires OS X 10.9.

(Of peripheral interest, whilst checking in the iOS Dev Center, I noticed
there's a beta of iOS 8.1)

~~~
xyclos
yeah, despite the statement: "OS X Mavericks v10.9.5 or later"

~~~
mitchty
Probably only applies to released versions of OS X. Apple treats beta a bit
differently than I think many expect. It is a bit closer to the old school
definition.

~~~
orbitur
Highly likely. I don't see why Apple would "patch" something that's not out
yet.

Since we didn't see another DP this week, I'm assuming the Bash update will
appear in the RC... hopefully that's out soon.

~~~
mitchty
Yep, and if you're really hard up to get it into 10.10. Just extract the
relevant binaries from the 10.9 version.

Though a better question would be what the hell are you doing with 10.10 that
you need to. OS X betas are very much beta.

[https://gist.github.com/mitchty/6e835bb51735099b6eba](https://gist.github.com/mitchty/6e835bb51735099b6eba)

------
alblue
Note that Apple has not provided updates for older systems. If you have an
older system and wish to patch, I have been keeping my blog post [1] updated
along with the canonical StackExchange answer [2].

Note that the patch from Apple allows bash functions to be escaped, albeit
with a BASH_FUNC prefix - but you can get around this by using:

$ env '__BASH_FUNC<ls>()'="() { echo Game Over; }" bash -c ls

Game Over

[1] [http://alblue.bandlem.com/2014/09/bash-remote-
vulnerability....](http://alblue.bandlem.com/2014/09/bash-remote-
vulnerability.html)

[2]
[http://apple.stackexchange.com/questions/146849/](http://apple.stackexchange.com/questions/146849/)

~~~
osxrand
Unless you're talking about 10.6 or older :

Quoted from 0x0

Also for 10.8:
[http://support.apple.com/kb/DL1768](http://support.apple.com/kb/DL1768) And
for 10.7:
[http://support.apple.com/kb/DL1767](http://support.apple.com/kb/DL1767) Edit:
Further information from the announcement is available here:
[http://lists.apple.com/archives/security-
announce/2014/Sep/m...](http://lists.apple.com/archives/security-
announce/2014/Sep/m..).

Just posting it here incase someone reads your comment and misses 0x0's

------
tonteldoos
Any reason this is not showing up in the App Store Updates page? (sorry, I'm
still getting my head around OS X...)

~~~
aspHax0
It'll take some time before it shows up, but it should eventually (hopefully
by tonight or tomorrow morning).

------
Zarel
There appear to be updates for 10.9, 10.8, and 10.7, but I can't seem to find
one for 10.10 (and yes, 10.10 beta 3 is vulnerable).

I guess us Yosemite users will have to wait for the next beta...

------
unspecified
Hmph, the other thread fell off the front page, but:

There is a handy zsh script (zsh is in /bin on OSX by default) to get the Bash
tarball from opensource.apple.com, apply patches 52, 53, and 54 from
ftp.gnu.org, build it, and then prompt to replace /bin/bash and /bin/sh. Xcode
is required, and you have to run "sudo xcodebuild" once to accept the EULA.

[https://github.com/tjluoma/bash-fix](https://github.com/tjluoma/bash-fix)

This is the easiest way I've found to patch the system-level /bin/bash AND
/bin/sh binaries.

------
kazazes
Disconcertingly, this doesn't show up in Software Update on my machine running
10.10, but that may be because I'm on the beta. Is this being pushed to the
App Store/Software Update for OS' < 10.10?

(For those wondering, the 10.9 installer does not run on 10.10)

~~~
pflats
Are you running a public-facing Apache server on the beta?

I wouldn't call it disconcerting that they're focusing their resources on
released versions of OS X. I'd rather they cover the other CVEs sooner and
ship 10.10.0 with no issues[1] when it's done than divert engineering
resources to ship a patch for Yosemite.

[1] bash-related issues, at least. Apple's .0 track record speaks for itself.

------
brynmathias
Word of warning, if you have chmod 0000 /bin/bash put it back to how you found
it before running the update.

If you didn't do this: cmd + s to boot in safe mode. /sbin/mount -wu / and
chmod bash back to a useable state, if you get stuck at log in.

------
bstream

      (master) $ echo $BASH_VERSION 
      4.3.27(1)-release
    
      (master) $ ./bashcheck
      Not vulnerable to CVE-2014-6271 (original shellshock)
      Not vulnerable to CVE-2014-7169 (taviso bug)
      ./bashcheck: line 18:  7675 Segmentation fault: 11  bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
      Vulnerable to CVE-2014-7186 (redir_stack bug)
      Test for CVE-2014-7187 not reliable without address sanitizer
      Variable function parser inactive, likely safe from unknown parser bugs
    

It seems as though there is no patch that fixes CVE-2014-7186 yet?

------
thebiglebrewski
Wait, so can anyone tell me what the risk is if you don't apply this update?

~~~
k_roy
I may be wrong here, but I'm pretty sure as long as you aren't running any
network services, you are probably ok.

This is a big deal because it's remotely exploitable. But it's only
exploitable remotely if you are running a network daemon that somehow invokes
bash and sets environment variables without sanitization. Web sharing, SSH in
some instances, a few MTAs.

The average user PROBABLY isn't running a daemon that is vulnerable. Though in
some cases, you may be and not know it (like if you had turned on Web Sharing
at some point)

All of this is not to say that if you can apply the patch, do it.

~~~
tonteldoos
Yes and no. Bash gets used in many, often invisible, ways. Even a piece of
compromised software run locally, or a web service accessing local data may
present a problem. Admittedly this is a remote chance (and not in the wild
afaik), but better safe than sorry. Patch took all of a minute to install.
Let's hope it's actually a complete fix.

~~~
bashinator
It's not a complete fix. This still returns 'not patched':

    
    
        foo='() { echo not patched; }' bash -c foo

~~~
scintill76
That could be fixed by this patch[0], which is not official and might break
backward compatibility.

If you're facing an attacker with arbitrary control of both name and value of
environment variables, and shell scripts that don't sanitize, you've got worse
problems IMO.

Still, some Linux distributions are applying this unofficial patch, to only
parse function definitions in prefixed environment variables to mitigate the
threats.

[0] [http://www.openwall.com/lists/oss-
security/2014/09/25/13](http://www.openwall.com/lists/oss-
security/2014/09/25/13)

~~~
phs2501
The namespace change is an official patch now:

[https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027](https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027)

~~~
dllthomas
Ah, that seems a good way of going about it.

------
tehwalrus

        System Requirements
        OS X Mavericks v10.9.5 or later
    

so, they're not updating older machines? My partner still runs Snow Leopard
10.6.8!

~~~
tehwalrus
...downvote a bit unfair, surely, the patch is trivial to release for all
versions (since Bash hasn't been updated across them, IIRC).

~~~
scintill76
Apparently you must be punished for daring to let your partner use something
that's still perfectly functional for many uses, when Apple has something
newer!

Maybe they're saying you should upgrade for security reasons, but it'd be nice
if they actually said it. Seriously, I'm failing to understand the amount of
downvote-hate being focused on you right now, in every comment you gave in
this thread. Sorry.

~~~
kps

      > something that's still perfectly functional
    

_More_ functional, sometimes; I have 10.6.8 on my home Mac Pro because 10.7
removed a vital feature.

------
GeorgeOfTJungle
[http://hacksagogo.wordpress.com/2014/10/02/shell-shock-
os-x-...](http://hacksagogo.wordpress.com/2014/10/02/shell-shock-os-x-bash-
update-installer-for-snow-leopard/)

Here’s for the crazy ones, the misfits, the trouble makers, the round pegs in
the square holes. The ones who see things differently... and are still running
Snow Leopard.

------
mjcohen
Worked on my Lion MacBook Pro. Went to the terminal which previously said
"vulnerable", redid the command, now ok.

------
orblivion
Anybody know what took them so long?

~~~
yachi
Because they just upgraded to xcode 6.

------
aabdocker
No surprise it doesn't work on 10.10.

------
vectorsize
no https? no checksums?

~~~
aroch
All of Apple's OS updaters are signed by Apple's internal CA and verified at
install time -- that's why there's no checksum:
[http://idzr.org/ba4o](http://idzr.org/ba4o)

------
bluedino
What about the handful of 10.5 machines still running?

------
mkoryak
sadly this will update bash on 10.9.5 only. Im on 10.9.3 because the last mac
I updated to that version caused it to kernel panic whenever I connected an
external monitor.

Mavericks is apple's Windows Vista

------
Fastidious
"OS X Mavericks v10.9.5 or later" doesn't include Yosemite.

~~~
sigzero
Yosemite isn't out yet except in Beta. So that is understandable really.

~~~
Fastidious
That doesn't make any sense. Yosemite is on DP and Public beta, yet still
vulnerable. One thing has nothing to do with the other.

------
mythz
Website says `OS X Mavericks v10.9.5 or later` but fails to run in Yosemite
with the error alert:

> This update requires OS X version 10.9.

------
auvi
Before:

    
    
       $ bash --version
       GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
    

After:

    
    
       $ bash --version
       GNU bash, version 4.3.26(1)-release (x86_64-apple-darwin13.4.0)

~~~
Igglyboo
There's no way they're pushing out a GPLv3 version of bash, you sure you
didn't confuse it with a brew/macports installed version?

~~~
sigjuice
From Apple's email announcement [http://lists.apple.com/archives/security-
announce/2014/Sep/m...](http://lists.apple.com/archives/security-
announce/2014/Sep/msg00001.html)

* The version after applying this update will be:
    
    
        OS X Mavericks:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
        OS X Mountain Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
        OS X Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

