Monthly Archives: September 2014

Bash vulnerability – fix for MAC owners

Last days we heard about really dangerous hole in almost any systems which contain linux/unix. Why is so dangerous ? Because it enables hackers to execute commands to take over servers and systems. Heartbleed, by contrast, leaked users’ passwords and other sensitive information, and did not allow third parties to directly hijack affected systems.

Because of this is HIGHLY recommended to do update in any Linux/Unix system quickly.

Because for MAC owners there is no official patch they are still unsecured. But there is a bit more tricky way how to do it yourself.

Lets start:

1. Check if your system is vulnerable by putting this command in to Terminal

 env x='() { :;}; echo vulnerable' bash -c 'echo hello'

if you see

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

it means you are secured (at the moment of writing the post only partially)
If you see “vulnerable” you need to apply the patch. OS X 10.9.5 (the latest stable release at the moment) ships with Bash v3.2.51.

2. Check the bash version

$ bash --version

You should see this:

GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

4. Check if you have Xcode installed. If not install it from AppStore. If you have it/installed do this:

a. With Xcode open, click the Xcode menu in your top menu bar.
b. Click Preferences.
c. Click the Downloads tab.
d. Click Install next to the Command Line Tools in the list of downloads.

Note: If you don’t see “Command Line Tools” in the downloads tab, then that means you’ve already got them and are ready to go!

5. Follow next steps to update bash:

$ mkdir bash-fix
$ cd bash-fix
$ curl | tar zxf -
$ cd bash-92/bash-3.2
$ curl | patch -p0
$ curl | patch -p0  
$ cd ..
$ sudo xcodebuild
$ sudo cp /bin/bash /bin/bash.old # make copy of old bash
$ sudo cp /bin/sh /bin/sh.old # make copy of old sh
$ build/Release/bash --version # GNU bash, version 3.2.53(1)-release
$ build/Release/sh --version   # GNU bash, version 3.2.53(1)-release
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin

For security reasons, and after testing, set chmod -x the old versions to ensure they aren’t re-used.

$ sudo chmod a-x /bin/bash.old /bin/sh.old

Go to point 1 and do the same test. It should pass the test correctly now.


Thanks for Milton Keynes for a tip.