Securing Mac-OS from CVE-2014-7169 (Shellshock / Bash bug)


For this to work you need to have Xcode installed. If you don't have it, try: sudo xcode-select –install

In a terminal execute these commands:
mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf –
cd bash-92/bash-3.2

curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0
cd ..
xcodebuild

Wait until you see "BUILD SUCCEEDED".

Backup your old executables:
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old

Put the new ones in place:
sudo cp build/Release/bash /bin/bash
sudo cp build/Release/sh /bin/sh

To test for it, execute in a Mac or Linux terminal:
env var='() {(a)=>\' bash -c "echo date"; cat echo 

If you are vulnerable, you will see the current date in the output, like this:
bash: var: line 1: syntax error near unexpected token `='
bash: var: line 1: `'
bash: error importing function definition for `var'
Fr 26 Sep 2014 13:33:52 CEST