Slashdot Mirror
Apple Yet To Push Patch For "Shellshock" Bug
An anonymous reader writes "Open source operating systems vulnerable to the Shellshock bug have already pushed two patches to fix the vulnerability, but Apple has yet to issue one for Mac OS X. Ars Technica speculates that licensing issues may be giving Apple pause: "[T]he current [bash] version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms....Apple executives may feel they have to have their own developers make modifications to the bash code.""
It's also worth noting that there are still flaws with the patches issued so far. Meanwhile, Fedora Magazine has published an easy-to-follow description of how Shellshock actually works. The Free Software Foundation has also issued a statement about Shellshock.
Is there anything I should add to my ~/.cshrc file to protect against this bug?
the gpl is doing its job of preventing commercial software from benefiting from it.
Did anyone expect differently?
This comes across as scaremongering, as its a blanket statement professing the openness of bash compared specifically to Microsoft and Apple, while both those companies have huge collections of open source projects where I can do just what they are trumpeting with Bash and the GPL.
Its a perfect example of why blanket statements should be studied very carefully before being used, as it can just distort your perceived stance when people call you on the flaws of your statement.
Aren't there shellshock patches available for the non-GPL 3'd versions of bash?
This space left intentionally blank.
Stackexchange has a link for anyone who wants to patch their own servers... I've been following it here: http://apple.stackexchange.com... I doubt we'll see a patch from apple until the community agrees that they have a working patch... sounds like they keep going down the rabbit hole right now; keep finding more issues. I upgraded my Lion Server with the current "official" patches, and also the "no function import" change. Better safe...
What Apple does (keeping an ancient non-gpl3 version of bash as primary shell) seems to be the worst possible solution. There are several powerful shells with liberal licences that would fit osx better: zsh (very powerful, globbing and spelling correction), mksh (light and fast but still full of features) or perhaps for the easy-to-use philosophy: fish. Osx already diverges significantly from other *nixes (case-insensitive, binary format, ...) so keeping bash for legacy support sounds strange - and if important they could just make it an optional install like in most BSDs...
What are you talking about? It is completely factual and a valid point. Apple currently bundles 3.2.51, which is licensed under GPLv2. The patched version of bash is the new 4.3.25, which is licensed using GPLv3. Including it would change the license they are using, which I imagine takes some consideration.
Some systems should be patched asap, of course, and we've patched our most critical systems. However, the bash team is still working out the best way to do a comprehensive fix, one that takes care of related issues as well as the initial exploit. As of Friday evening Red Hat and upstream bash were headed in two different directions. We'll be waiting until probably Monday evening to patch most of our systems, even the bash team decides what they're going to do and that gets implemented in rpms. It's not unreasonable for most OSX users to take care of it Monday or so, especially since most Macs don't have a public facing internet presence.
If you're using OSX for an important public facing web server, you can update it today via configure; ./make; make install
This is nothing more than anti GPL FUD. I mean how did Apple manage to originally bundle BASH without contaminating Mac OS X with the GPL 'viral' license. Shame on Ars Technica for spreading this FUD further. Since when has slashdot become a platform for spreading anti-GPL propaganda?
Excuse me, but there is no "anti GPL FUD" or "anti-GPL propaganda". Apple doesn't want to touch GPL 3 licensed code, and quite rightfully so.
The passage you quoted has nothing to do with the general properties of the GPL; it's about GPLv3 being more restrictive to distributors than GPLv2 is (see e.g. the anti-Tivoization language and the language designed to disallow the infamous Microsoft-Novell patent arrangement). The FSF itself acknowledges this reality; it is why GPLv2-covered code cannot be combined with GPLv3-covered code into a single distributable work, and is an example of why the FSF recommends the "or, at your option, any later version" language.
Once upon a time, I learnt that one should not make setuid-root sh scripts, exactly because the shell has so many unpredictable ways to make your script unsecure and because secure input validation inside shell scripts itself is nearly impossible. So why do we have the situation now, that internet services are calling bash scripts to run as root with data input from the internet without proper validation?
In other words: It's no wonder that bash is still 'vulnerable' after two patches, because it isn't supposed to be used like this. And the remaining problems are not a bug in bash, but wrong usage of bash.
The smartest thing to do right now is to not expose a buggy 25-year-old parser to any random person on the internet. Just disable function importing from the environment by default and put it behind a flag.
Here is a BSD-licensed patch for it: http://seclists.org/oss-sec/20...
You're welcome.
As noted at the link:
https://www.freebsd.org/security/advisories.html
FreeBSD has still not patched. I use FreeBSD on my border routers so I am not happy with their lack of action on this subject. Bash is not the default shell on FreeBSD, tcsh is however, many people install bash from the package installer (I work on many unix environments and bash is the one shell I can use everywhere), so this item should be addressed by the FreeBSD team.
Stackexchange has a link for anyone who wants to patch their own servers... I've been following it here: http://apple.stackexchange.com...
Does this work fine with Snow Leopard does anyone know?
> There can no be any 'suspect' in the 'openness' because they have agreed to the license
In some cases, such as document formats, they have patents that apply. The _copyright_ license means you're not violating their _copyright_ by using/modifying/distributing the code, or code that has a similar function, but you're still subject to theor patents, so they can still sue you for millions and billions of dollars. The only protection you have for this code (and any code that reads or writes their format) is an informal promise that as long as they don't mind what you're doing, this year they won't sue you. That's certainly suspect. They might not completely screw everyone who touches their code, but they've reserved the right to do so.
They also have a license which they call "open", but it sure doesn't read like any open source license before. "Hi, my name's Chelsea", their license purrs, with her adam's apple rising. Suspect.
Macports updated their version of bash. Get macports here, if you don't already have them, and install bash: https://www.macports.org/ /bin and remove original Mac binary.
Make sure to move their bash into
Comment removed based on user account deletion
Except the same patch for 4.X is out there for every other version.
I expect they probably will in the end. It just takes time. They've already done it for gcc (clang), and gdb (lldb), I'm sure they'll get round to all of the other GPLv3 world eventually and BSD it instead.
Of course. They are a bunch of sociopaths that can't wait to screw over everyone else. So are their end users.
Of course sociopaths want to stay well away from the GPL3. It closed a loophole that could be used to subvert the intent of the authors.
A Pirate and a Puritan look the same on a balance sheet.
Yes - I have a machine which I patched with this method. But then I created the question and answer as well as my blog at http://alblue.bandlem.com where I've been writing about it, and at http://www.infoq.com @alblue
This is not a very sophisticated flaw. The BSD's weren't effected, suggested that the flaw has been known in some circles for a VERY long time. Or at least the potential for a variety of related flaws in this area were known and considered, and make files were configured accordingly.
So why did it go Viral? Was the explosion of this flaw, a push or pull type event? And doesn't it drive home the point, that Linux distros should start patching more and forking less?
So anyone not agreeing with your ideology is a sociopath? Don't you get the irony in that?
I'm going to find out. I may test on Leopard as well (since I still have a quad G5)
I'm starting to think GNU is the problem with "GNU/Linux" these days.
just get on with it and remove the buggy export function. It's rarely used, practically undocumented, and you all are just playing the whack-a-mole bug fixing game now. I've updated my systems 3 times already for this stupid bug. Trying to patch bash and while preserving this dangerous function is hurting the credibility of parties who are pushing out the patches.
Dunno about the OP, but I've to, due to job, from time to time. It's a bit like jail, with soft, white round corners. It gives me the jeebies, and I'm always grateful to return to my Debian box (FVWM, by the way).
So yes, I have, and never enjoyed the experience.
The version of Bash with the patch is v3, the version Apple uses is v2. They're perfectly happy to ship GPLv2 code (quite a bit of their codebase is GPL), but they have strenuously avoided GPLv3 where possible.
What is hard to understand about this?
That, plus the fact that the patches issued so far are not 100% effective is probably why there is no official patch from Apple yet (you are free to compile your own of course).
They have stated that they are working on it, so it will be forthcoming soon enough.
Ah, propaganda!
GPLv3: "code should be open and free, unless we decide that the freedom that a company chose was not the freedom we wanted them to choose!"
So, you think idea that you can do anything you want within the terms of the licence is a "loophole". Mhhmmm.
Oh, and let's not forget the idea that anyone who disagrees with your position is a sociopath.
What next? The test for sociopathic tendencies involves presenting a choice of OSS licences and if the subject picks anything other than GPLv3 they get branded a sociopath?
The GPL v4:
You may not modify, distribute, publish, compile, share, view or in any other way make use of this source code without the express written permission of Richard M. Stallman. This is for the protection of your freedoms, comrade!
OSX is my favorite, second to Linux. But honestly, it's isn't that close.
... really aren't Apple systems likely the *nix boxes that are least likely to be exploited by shellshock? I have a lot of Apple boxes at work (and know of lots of people who use them in other places as well) but I know of only a very short list of Apple boxes that have any public facing services. While a fair chunk of other *nix boxes are running web servers and other services that can provide avenues for exploiting shellshock, it doesn't seem particularly pressing for the Apple systems that are not.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
neither do the micro softies and apple corps who mod'ed him up.
Apple Corps? What do the Beatles have to do with this?
It looks to me as if you're straining to manufacture scaremongering where none exists. The FSF is reiterating the consequences of free and nonfree software—users get freedoms with free software that they don't get with nonfree software.
Confirmed that it works on Snow Leopard.
I'm starting to think GNU is the problem with "GNU/Linux" these days.
The amount of GPL code in OS X userland is exceedingly minimal. Most of it is from FreeBSD.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Have you considered suicide ?
It is the most productive thing you could ever do with your miserable
life.
Brilliant! Thank you!!
The whole idea of inspecting the contents of arbitrary variables is a bug. Variables can contain any data the user chooses, and the fact that it happens to look like a function definition is none of the shell's business. Bash should have defined a single variable for the purpose in which all the function definitions are packaged up, or at least have defined a class of variables (e.g. BASH_FUNCTION_*) for the purpose.
Looks like this guy at symantec can exploit the bug through a malformed user agent string
http://www.youtube.com/watch?v=ArEOVHQu9nk
Hi there. Just wanted to share. I downloaded the patch last night with the normal repo updates. sudo apt-get upgrade did it for me. No worries. I don't know about Apple. I don't use that crap.
What are you talking about? It is completely factual and a valid point. Apple currently bundles 3.2.51, which is licensed under GPLv2. The patched version of bash is the new 4.3.25, which is licensed using GPLv3. Including it would change the license they are using, which I imagine takes some consideration.
Here are patches for Bash 3.2:
https://ftp.gnu.org/gnu/bash/b...
https://ftp.gnu.org/gnu/bash/b...
FUD!
The GNU project shipped officicial patches for all GNU Bash versions going back to 3.0, and I've seen other people patch versions going back to 2.0.
I thought the patches removed the ability to execute environment variables. That's how I've always used bash, and that's the only thing I've ever seen on scripts and documentation anywhere on the net. I've never seen (anywhere on the net or anywhere else) the ability to execute an environment variable. That's probably why this 'bug' was never found: no one uses bash like that: its like trying to use a sledge hammer to paint your house (instead of a paint brush). Sure its possible, but why would you want to? If I get the same basic functionality from ash (Almquist shell, written by Ken Almquist) as I do from bash (bourne again shell) then I might switch. Dash is the Debian Almquist shell (the Korn shell was written by David Korn and the C shell was written by Bill Joy). The Bourne-Again Shell (BASH) took the best of ksh and csh and added them to sh (the original Bourne shell written by Steven Bourne) and created bash. I was under the impression that the patches removed parsing/execution from environment variables. I never used environment variables like that, and don't want it (especially if it adds craploads of security problems). So do a thorough analysis, then fix it for good.
Dunno about the OP, but I've to, due to job, from time to time. It's a bit like jail, with soft, white round corners. It gives me the jeebies, and I'm always grateful to return to my Debian box (FVWM, by the way).
So yes, I have, and never enjoyed the experience.
---------
Ah, now we've got it:
Separation anxiety disorder of childhood
F93.0 is a billable ICD-10-CM code that can be used to specify a diagnosis.
Clinical Information:
Anxiety experienced by an individual upon separation from a person or object of particular significance to him.
Faster! Faster! Faster would be better!
Is it me, or am I the only one who used Homebrew to replace the installed version of bash?
Only the dead have seen the end of War. - Plato
The GNU project shipped officicial patches for all GNU Bash versions going back to 3.0, and I've seen other people patch versions going back to 2.0.
Yes, but under which license were the patches made available?
OS X is certified UNIX. You know, the network operating system that was serving clients before Xerox invented the desktop.
I have a 1U OS X. server here that says you're clueless.
By convention patches are released under the same license as the version it applies to. I'm sure the GNU Bash maintainer is willing to clarify this to Apple if asked.
Shellshock does a good job of illustrating a fundamental security flaw in
bash but also in Redhat. Redhat, Fedora and CentOS are the most at risk
OSs because Redhat decided to make bash the default shell. This was a
deeply flawed system design decision driven by NIH (not invented here
syndrome). The problem is that bash was written and is maintained by
Redhat. As a result scripts that should have been written in the Bourne
shell are instead using bash. Even scripts that use Bourne (/bin/sh) are
executing bash on Redhat systems as sh is symlinked from bash. This is
not the case on Debian-based Linux (Ubuntu et al) as they don't symlink
bash to sh or specify bash as the default shell script interpreter.
Neither is it the case on the BSDs which don't even ship with bash.
So why then is bash an inappropriate choice for shell scripting? Bash is
designed to be an interactive shell. As a result it a much larger
program and has a correspondingly larger codebase than Bourne, most of
which is dedicated to auto-completion and other interactive features.
All else being equal (and it is in this case) more code correlates with
less security. Bash is also not POSIX-compliant. As a result it is not
cross-platform compatible nor are its features or design subject to
substantial design review. This and other reasons (like security) are
why all Unix and Linux distributions other than Redhat specify POSIX
Bourne as the default shell scripting language.
Redhat aside many third party shell scripts are written in bash that use
no bash features i.e., they would run with little or no modifications
under sh. So why are these scripts written in bash? The primarily
reasons are A) script authors don't understand or value cross-platform
compatibility and B) don't know the differences between bash and sh
(commonly due to familiarity with bash as an interactive shell). A third
but equally important factor is the lack of formal Linux or Unix
training.
Just as shell scripts should not be written in csh (or tcsh) they should
also not use bash (or ksh). Shell script authors should A) keep it
simple, B) be aware of cross-platform differences, C) value
POSIX-compliance and D) value security. With these best practices bugs
like shellshock won't have such an impact.
The Arstechnica journalist Sean Gallagher really dropped the ball on this one:
- His information was behind even when it was published. On the 25th of September around 22:00 EST (depending on the version you're running), Debian issued a patch that fixes the new vulnerabilitys CVE-2014-7186 and CVE-2014-7187 AND implements the Florian Weimer suggestion, strongly mitigating the exploitability of any future parser bugs. Red Had and Ubuntu took their sweet time validating this patch suite, but eventually followed suit the evening of the 26th and the morning of the 27th, respectively.
- The Norihiro Tanaka "bug" is documented and intended behavior, which Sean Gallagher could have known simply by clicking next in thread! Specifically, it's how bash passes shell functions to a subshell. Unlike shellshock, it could only be exploited remotely when allowing a remote attacker to set variables with arbitrary names, which is not the case for any widespread software package. If it was, you'd be lost regardless of which shell you're using and it would have been exploited ages ago. Even the Florian Weimer improvement doesn't change this.
You have a lot of good and true points, but there are couple of huge mistakes in your post that I cannot let stand uncorrected.
AFAIK, the original Bourne shell hasn't been maintained since 1989 or so; if you were to distribute it today as /bin/sh , your distro would doubdlessly be plagued by the most embarrasing buffer overflow and other vulnerabilities. What Debian and its derivatives do is link /bin/sh to dash , the Debian Almquist Shell, which is a modern and well-maintained project aimed at providing a lightweight shell that throws out all interactive features yet has a rich set of non-interactive scripting features that far surpasses the original Bourne shell - not as rich as bash, but good enough for present-day shell scripting. I remember when they took the jump (which required months of preparation consisting of purging bashisms from common shell scripts), boot times were suddenly slashed in half because repeatedly initializing dash processes is so much lighter on the system than doing the same with bash. And as you said, as a side effect, security also benefits.
Redhat aside many third party shell scripts are written in bash that use no bash features
This is factually incorrect; when was the last time you installed something that didn't come out of a Debian repository? Red Hat is incredibly popular in corporate environments, and almost all 3rd party "#!/bin/sh" scripts are actually shock full of bashisms because their customers ask them to target Red Hat and their programmers are Red Hat inbreds who wouldn't know a bashism if it hit them in the head. And remember that a lot of FOSS development is being done within corporations... The pervasive bashisms are why it took Debian so much effort to switch and why Red Hat never did.
This is almost exactly the vulnerability I identified in Linux and other Unixes in about 2002. I was looking for a totally secure type of OS for running a machine that needed very high security. It was only really a guess or a hunch but the shell looked like one of the biggest weak points, another for my app was fork - the biggest weakness of all though was the shear complexity of the whole unix system.
My design was abandoned because a suitable OS couldn't be found, and is now being reimagined as running raw on FPGA hardware - with a thin bespoke OS layer.
Below the speed of light Special Relativity is one of the most accurate theories in physics - above the speed of light..
Backporting the patch(s), or fixing it from first principles for that matter, is unlikely to be an issue. The problem just isn't that complicated.
The delay is more likely due to Apple's more rigorous testing regime.