Slashdot Mirror
Apple Yet To Push Patch For "Shellshock" Bug
An anonymous reader writes "Open source operating systems vulnerable to the Shellshock bug have already pushed two patches to fix the vulnerability, but Apple has yet to issue one for Mac OS X. Ars Technica speculates that licensing issues may be giving Apple pause: "[T]he current [bash] version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms....Apple executives may feel they have to have their own developers make modifications to the bash code.""
It's also worth noting that there are still flaws with the patches issued so far. Meanwhile, Fedora Magazine has published an easy-to-follow description of how Shellshock actually works. The Free Software Foundation has also issued a statement about Shellshock.
Is there anything I should add to my ~/.cshrc file to protect against this bug?
the gpl is doing its job of preventing commercial software from benefiting from it.
This comes across as scaremongering, as its a blanket statement professing the openness of bash compared specifically to Microsoft and Apple, while both those companies have huge collections of open source projects where I can do just what they are trumpeting with Bash and the GPL.
Its a perfect example of why blanket statements should be studied very carefully before being used, as it can just distort your perceived stance when people call you on the flaws of your statement.
Aren't there shellshock patches available for the non-GPL 3'd versions of bash?
This space left intentionally blank.
Stackexchange has a link for anyone who wants to patch their own servers... I've been following it here: http://apple.stackexchange.com... I doubt we'll see a patch from apple until the community agrees that they have a working patch... sounds like they keep going down the rabbit hole right now; keep finding more issues. I upgraded my Lion Server with the current "official" patches, and also the "no function import" change. Better safe...
What Apple does (keeping an ancient non-gpl3 version of bash as primary shell) seems to be the worst possible solution. There are several powerful shells with liberal licences that would fit osx better: zsh (very powerful, globbing and spelling correction), mksh (light and fast but still full of features) or perhaps for the easy-to-use philosophy: fish. Osx already diverges significantly from other *nixes (case-insensitive, binary format, ...) so keeping bash for legacy support sounds strange - and if important they could just make it an optional install like in most BSDs...
What are you talking about? It is completely factual and a valid point. Apple currently bundles 3.2.51, which is licensed under GPLv2. The patched version of bash is the new 4.3.25, which is licensed using GPLv3. Including it would change the license they are using, which I imagine takes some consideration.
Some systems should be patched asap, of course, and we've patched our most critical systems. However, the bash team is still working out the best way to do a comprehensive fix, one that takes care of related issues as well as the initial exploit. As of Friday evening Red Hat and upstream bash were headed in two different directions. We'll be waiting until probably Monday evening to patch most of our systems, even the bash team decides what they're going to do and that gets implemented in rpms. It's not unreasonable for most OSX users to take care of it Monday or so, especially since most Macs don't have a public facing internet presence.
If you're using OSX for an important public facing web server, you can update it today via configure; ./make; make install
This is nothing more than anti GPL FUD. I mean how did Apple manage to originally bundle BASH without contaminating Mac OS X with the GPL 'viral' license. Shame on Ars Technica for spreading this FUD further. Since when has slashdot become a platform for spreading anti-GPL propaganda?
Excuse me, but there is no "anti GPL FUD" or "anti-GPL propaganda". Apple doesn't want to touch GPL 3 licensed code, and quite rightfully so.
Once upon a time, I learnt that one should not make setuid-root sh scripts, exactly because the shell has so many unpredictable ways to make your script unsecure and because secure input validation inside shell scripts itself is nearly impossible. So why do we have the situation now, that internet services are calling bash scripts to run as root with data input from the internet without proper validation?
In other words: It's no wonder that bash is still 'vulnerable' after two patches, because it isn't supposed to be used like this. And the remaining problems are not a bug in bash, but wrong usage of bash.
The smartest thing to do right now is to not expose a buggy 25-year-old parser to any random person on the internet. Just disable function importing from the environment by default and put it behind a flag.
Here is a BSD-licensed patch for it: http://seclists.org/oss-sec/20...
You're welcome.
Stackexchange has a link for anyone who wants to patch their own servers... I've been following it here: http://apple.stackexchange.com...
Does this work fine with Snow Leopard does anyone know?
> There can no be any 'suspect' in the 'openness' because they have agreed to the license
In some cases, such as document formats, they have patents that apply. The _copyright_ license means you're not violating their _copyright_ by using/modifying/distributing the code, or code that has a similar function, but you're still subject to theor patents, so they can still sue you for millions and billions of dollars. The only protection you have for this code (and any code that reads or writes their format) is an informal promise that as long as they don't mind what you're doing, this year they won't sue you. That's certainly suspect. They might not completely screw everyone who touches their code, but they've reserved the right to do so.
They also have a license which they call "open", but it sure doesn't read like any open source license before. "Hi, my name's Chelsea", their license purrs, with her adam's apple rising. Suspect.
Macports updated their version of bash. Get macports here, if you don't already have them, and install bash: https://www.macports.org/ /bin and remove original Mac binary.
Make sure to move their bash into
Comment removed based on user account deletion
I expect they probably will in the end. It just takes time. They've already done it for gcc (clang), and gdb (lldb), I'm sure they'll get round to all of the other GPLv3 world eventually and BSD it instead.
Yes - I have a machine which I patched with this method. But then I created the question and answer as well as my blog at http://alblue.bandlem.com where I've been writing about it, and at http://www.infoq.com @alblue
This is not a very sophisticated flaw. The BSD's weren't effected, suggested that the flaw has been known in some circles for a VERY long time. Or at least the potential for a variety of related flaws in this area were known and considered, and make files were configured accordingly.
So why did it go Viral? Was the explosion of this flaw, a push or pull type event? And doesn't it drive home the point, that Linux distros should start patching more and forking less?
So anyone not agreeing with your ideology is a sociopath? Don't you get the irony in that?
I'm going to find out. I may test on Leopard as well (since I still have a quad G5)
I'm starting to think GNU is the problem with "GNU/Linux" these days.
Dunno about the OP, but I've to, due to job, from time to time. It's a bit like jail, with soft, white round corners. It gives me the jeebies, and I'm always grateful to return to my Debian box (FVWM, by the way).
So yes, I have, and never enjoyed the experience.
The version of Bash with the patch is v3, the version Apple uses is v2. They're perfectly happy to ship GPLv2 code (quite a bit of their codebase is GPL), but they have strenuously avoided GPLv3 where possible.
What is hard to understand about this?
That, plus the fact that the patches issued so far are not 100% effective is probably why there is no official patch from Apple yet (you are free to compile your own of course).
They have stated that they are working on it, so it will be forthcoming soon enough.
Ah, propaganda!
GPLv3: "code should be open and free, unless we decide that the freedom that a company chose was not the freedom we wanted them to choose!"
So, you think idea that you can do anything you want within the terms of the licence is a "loophole". Mhhmmm.
Oh, and let's not forget the idea that anyone who disagrees with your position is a sociopath.
What next? The test for sociopathic tendencies involves presenting a choice of OSS licences and if the subject picks anything other than GPLv3 they get branded a sociopath?
The GPL v4:
You may not modify, distribute, publish, compile, share, view or in any other way make use of this source code without the express written permission of Richard M. Stallman. This is for the protection of your freedoms, comrade!
OSX is my favorite, second to Linux. But honestly, it's isn't that close.
... really aren't Apple systems likely the *nix boxes that are least likely to be exploited by shellshock? I have a lot of Apple boxes at work (and know of lots of people who use them in other places as well) but I know of only a very short list of Apple boxes that have any public facing services. While a fair chunk of other *nix boxes are running web servers and other services that can provide avenues for exploiting shellshock, it doesn't seem particularly pressing for the Apple systems that are not.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
neither do the micro softies and apple corps who mod'ed him up.
Apple Corps? What do the Beatles have to do with this?
Confirmed that it works on Snow Leopard.
I'm starting to think GNU is the problem with "GNU/Linux" these days.
Apple deprecated Java entirely and suggested that you obtain it from Oracle, but thanks for playing.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
The amount of GPL code in OS X userland is exceedingly minimal. Most of it is from FreeBSD.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
bash is not part of FreeBSD.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Brilliant! Thank you!!
The whole idea of inspecting the contents of arbitrary variables is a bug. Variables can contain any data the user chooses, and the fact that it happens to look like a function definition is none of the shell's business. Bash should have defined a single variable for the purpose in which all the function definitions are packaged up, or at least have defined a class of variables (e.g. BASH_FUNCTION_*) for the purpose.
What are you talking about? It is completely factual and a valid point. Apple currently bundles 3.2.51, which is licensed under GPLv2. The patched version of bash is the new 4.3.25, which is licensed using GPLv3. Including it would change the license they are using, which I imagine takes some consideration.
Here are patches for Bash 3.2:
https://ftp.gnu.org/gnu/bash/b...
https://ftp.gnu.org/gnu/bash/b...
The GNU project shipped officicial patches for all GNU Bash versions going back to 3.0, and I've seen other people patch versions going back to 2.0.
But it is part of the ports collection, which is managed by the FreeBSD project and that a lot of FreeBSD users use.
There are users using it, and it is documented.
Dunno about the OP, but I've to, due to job, from time to time. It's a bit like jail, with soft, white round corners. It gives me the jeebies, and I'm always grateful to return to my Debian box (FVWM, by the way).
So yes, I have, and never enjoyed the experience.
---------
Ah, now we've got it:
Separation anxiety disorder of childhood
F93.0 is a billable ICD-10-CM code that can be used to specify a diagnosis.
Clinical Information:
Anxiety experienced by an individual upon separation from a person or object of particular significance to him.
Faster! Faster! Faster would be better!
The installed binaries built from the ports tree are not automagicly updated with the standard OS patches, this is why many people chose NOT to build from the ports tree and instead chose to use the binary package installer pkg tool such that the packages are then updated automaticly by the FreeBSD team as opposed to the user having to re-fresh the ports tree and manulay rebuild every package that gets an update.
I call bullshit. Binary packages have never been up to date on FreeBSD. Anybody knows anything about FreeBSD knows to use the ports tree. Especially for something that takes 2 seconds to build. The ports tree since yesterday has had the NetBSD workaround which is even safer than GNU's own since it disables the vulnerable (and hardly used) functionality entirely. (Who intentionally imports shell functions from the environment?) While we're going to be updating our Linux systems yet again for GNU's next attempt at fixing this.
FreeBSD isn't even vulnerable to begin with. /bin/sh is Almquist shell.
Is it me, or am I the only one who used Homebrew to replace the installed version of bash?
Only the dead have seen the end of War. - Plato
OS X is certified UNIX. You know, the network operating system that was serving clients before Xerox invented the desktop.
I have a 1U OS X. server here that says you're clueless.
Once you've had Mac [apple.com], you can't go back!
Until you realize Apple has no commitment to backwards compatibility, and the software you bought three years ago is useless. Then you become bitter and depraved.
"First they came for the slanderers and i said nothing."
By convention patches are released under the same license as the version it applies to. I'm sure the GNU Bash maintainer is willing to clarify this to Apple if asked.
Shellshock does a good job of illustrating a fundamental security flaw in
bash but also in Redhat. Redhat, Fedora and CentOS are the most at risk
OSs because Redhat decided to make bash the default shell. This was a
deeply flawed system design decision driven by NIH (not invented here
syndrome). The problem is that bash was written and is maintained by
Redhat. As a result scripts that should have been written in the Bourne
shell are instead using bash. Even scripts that use Bourne (/bin/sh) are
executing bash on Redhat systems as sh is symlinked from bash. This is
not the case on Debian-based Linux (Ubuntu et al) as they don't symlink
bash to sh or specify bash as the default shell script interpreter.
Neither is it the case on the BSDs which don't even ship with bash.
So why then is bash an inappropriate choice for shell scripting? Bash is
designed to be an interactive shell. As a result it a much larger
program and has a correspondingly larger codebase than Bourne, most of
which is dedicated to auto-completion and other interactive features.
All else being equal (and it is in this case) more code correlates with
less security. Bash is also not POSIX-compliant. As a result it is not
cross-platform compatible nor are its features or design subject to
substantial design review. This and other reasons (like security) are
why all Unix and Linux distributions other than Redhat specify POSIX
Bourne as the default shell scripting language.
Redhat aside many third party shell scripts are written in bash that use
no bash features i.e., they would run with little or no modifications
under sh. So why are these scripts written in bash? The primarily
reasons are A) script authors don't understand or value cross-platform
compatibility and B) don't know the differences between bash and sh
(commonly due to familiarity with bash as an interactive shell). A third
but equally important factor is the lack of formal Linux or Unix
training.
Just as shell scripts should not be written in csh (or tcsh) they should
also not use bash (or ksh). Shell script authors should A) keep it
simple, B) be aware of cross-platform differences, C) value
POSIX-compliance and D) value security. With these best practices bugs
like shellshock won't have such an impact.
The Arstechnica journalist Sean Gallagher really dropped the ball on this one:
- His information was behind even when it was published. On the 25th of September around 22:00 EST (depending on the version you're running), Debian issued a patch that fixes the new vulnerabilitys CVE-2014-7186 and CVE-2014-7187 AND implements the Florian Weimer suggestion, strongly mitigating the exploitability of any future parser bugs. Red Had and Ubuntu took their sweet time validating this patch suite, but eventually followed suit the evening of the 26th and the morning of the 27th, respectively.
- The Norihiro Tanaka "bug" is documented and intended behavior, which Sean Gallagher could have known simply by clicking next in thread! Specifically, it's how bash passes shell functions to a subshell. Unlike shellshock, it could only be exploited remotely when allowing a remote attacker to set variables with arbitrary names, which is not the case for any widespread software package. If it was, you'd be lost regardless of which shell you're using and it would have been exploited ages ago. Even the Florian Weimer improvement doesn't change this.
You have a lot of good and true points, but there are couple of huge mistakes in your post that I cannot let stand uncorrected.
AFAIK, the original Bourne shell hasn't been maintained since 1989 or so; if you were to distribute it today as /bin/sh , your distro would doubdlessly be plagued by the most embarrasing buffer overflow and other vulnerabilities. What Debian and its derivatives do is link /bin/sh to dash , the Debian Almquist Shell, which is a modern and well-maintained project aimed at providing a lightweight shell that throws out all interactive features yet has a rich set of non-interactive scripting features that far surpasses the original Bourne shell - not as rich as bash, but good enough for present-day shell scripting. I remember when they took the jump (which required months of preparation consisting of purging bashisms from common shell scripts), boot times were suddenly slashed in half because repeatedly initializing dash processes is so much lighter on the system than doing the same with bash. And as you said, as a side effect, security also benefits.
Redhat aside many third party shell scripts are written in bash that use no bash features
This is factually incorrect; when was the last time you installed something that didn't come out of a Debian repository? Red Hat is incredibly popular in corporate environments, and almost all 3rd party "#!/bin/sh" scripts are actually shock full of bashisms because their customers ask them to target Red Hat and their programmers are Red Hat inbreds who wouldn't know a bashism if it hit them in the head. And remember that a lot of FOSS development is being done within corporations... The pervasive bashisms are why it took Debian so much effort to switch and why Red Hat never did.
This is almost exactly the vulnerability I identified in Linux and other Unixes in about 2002. I was looking for a totally secure type of OS for running a machine that needed very high security. It was only really a guess or a hunch but the shell looked like one of the biggest weak points, another for my app was fork - the biggest weakness of all though was the shear complexity of the whole unix system.
My design was abandoned because a suitable OS couldn't be found, and is now being reimagined as running raw on FPGA hardware - with a thin bespoke OS layer.
Below the speed of light Special Relativity is one of the most accurate theories in physics - above the speed of light..
Backporting the patch(s), or fixing it from first principles for that matter, is unlikely to be an issue. The problem just isn't that complicated.
The delay is more likely due to Apple's more rigorous testing regime.