Apple Yet To Push Patch For "Shellshock" Bug

An anonymous reader writes "Open source operating systems vulnerable to the Shellshock bug have already pushed two patches to fix the vulnerability, but Apple has yet to issue one for Mac OS X. Ars Technica speculates that licensing issues may be giving Apple pause: "[T]he current [bash] version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms....Apple executives may feel they have to have their own developers make modifications to the bash code."" It's also worth noting that there are still flaws with the patches issued so far. Meanwhile, Fedora Magazine has published an easy-to-follow description of how Shellshock actually works. The Free Software Foundation has also issued a statement about Shellshock.

~/.cshrc

[Bing+Tsher+E]

Is there anything I should add to my ~/.cshrc file to protect against this bug?

Re:~/.cshrc

[oneiros27]

Oh, you think you're kidding ... but the problem isn't just bash ... it's that Apple uses bash in place of sh.

So most programs that shell out (php, perl, etc) are potentially vulnerable no matter what initial shell they were called from:

csh< env x='() { :;}; echo vulnerable' perl -e 'system "echo test;"'
vulnerable
test
csh>

Re:~/.cshrc

[koan]

Yeah a better operating system than OSX.

Re:~/.cshrc

[fnj]

Rename /bin/bash to /bin/bash.bak then create a link [cyberciti.biz] from /bin/dash to /bin/bash ..

And get ready for a whole lot of scripts failing. Scripts that start with #!/bin/sh but are written dependant on bash features will fail. Scripts that start with #!/bin/bash on the other hand will just fail to start. You'll have a busted-ass system, but at least it won't be attacked.

Now if you were running debian or ubuntu /bin/sh would already be a link to /bin/dash, and there wouldn't be any screwed up scripts because the design of the file layout was made by people who weren't brain dead.

Re:~/.cshrc

[aNonnyMouseCowered]

"Oh, you think you're kidding ... but the problem isn't just bash ... it's that Apple uses bash in place of sh."

A long time ago I used a non-Intel version of MacOSX that had tcsh as the default shell. So the parent might not be joking if .cshrc was part of the tcsh installation (tcsh has its own config .tcshrc but also reads .cshrc). If that's the case, well, none of the c-shells suffer from this bug. I wonder why Apple made the change. tcsh is BSD licensed as it's (or was) the default NetBSD (FreeBSD?) shell. Are there any OSX services that actually depend on some bash bug/feature not implemented in say, tcsh, zsh or any of the other permissively licenses shells?

Re:~/.cshrc

[Kiwikwi]

It really has nothing to do with the default shell. It won't matter what shell is the default when your CGI script starts with #!/bin/bash.

No, no, no, no... People really don't get the scope of this.

It doesn't matter what the default user shell is, or what language a CGI script is written in. Bash is the most common system shell, which means it's invoked all the time when other programs run commands.

Obviously, I can't know this, but OP is probably not using csh as his system shell, because that's not POSIX compliant and would cause major breakage.

If /bin/sh is Bash, you're vulnerable, no matter what shell you're using yourself, or what language your CGI script is written in.

Also, CGI scripts is only the most obvious attack vector; others that have been identified so far are the CUPS printing daemon, the ISC DHCP client and locked down SSH shells like those commonly used to host Git repositories. But there are without doubt many more. The only safe thing to do is to upgrade or remove Bash from your system immediately.

Stallman would be proud

the gpl is doing its job of preventing commercial software from benefiting from it.

Re: Stallman would be proud

[frikken+lazerz]

Stallman is batshit insane though, and doesn't even come close to representing the average FOSS user. That would be like thinking all liberals are like Michael Moore or all conservatives are like Rush Limbaugh. The average FOSS advocate just wants his software to work. He prefers FOSS because it is more secure and has the user's interests in mind, unlike software like iTunes that tries to sell users stuff or Chrome that tracks you and sells your data to the highest bidder. The average FOSS user doesn't care if there are binary blobs and doesn't mind using Adobe's Flash because it's way better than any of the open alternatives. This is also the reason Ubuntu and Mint are so popular, not GNUSense or whatever other totally free alternative he recommends. Tl;dr, Stallman shouldn't and represent the FOSS community, and although his ideas might be good in principle, the average user just wants his software to work on par or better than what he used to use on Windows.

Re:Stallman would be proud

[marcello_dl]

Moron: Yeah I wanna redistribute your software but not abide to the license it comes with it, because it's not freedom enough! I mean, give my source modification to everybody who asks? Avoid patenting and so effectively closing up the work you intended for the world? Why should I do that?

Dev: how about you write your own damn code and license it as you please? And I suppose you are perfecly fine when your own licenses are being ignored?
 

Re:Stallman would be proud

[TrollstonButterbeans]

I'm sure that Apple, with $160 B in the bank, and developers writing entirely new programming languages like Swift are betwixt --- just betwixt!!! --- at the things the open source community can write in code that they can't figure out!!

Maybe some day Apple will smarten up and move to next to Stanford and Berkeley so they can buy some coding talent and be able to patch these kinds of things.

Until then, they will be at the mercy of the GPL v3.

[Either that or how the hell can this even be exploited on a Mac, sigh ...]

Patches for 3.x bash versions?

[javacowboy]

Aren't there shellshock patches available for the non-GPL 3'd versions of bash?

Stackexchange has discussion on patching yourself

[evandyke]

Stackexchange has a link for anyone who wants to patch their own servers... I've been following it here: http://apple.stackexchange.com... I doubt we'll see a patch from apple until the community agrees that they have a working patch... sounds like they keep going down the rabbit hole right now; keep finding more issues. I upgraded my Lion Server with the current "official" patches, and also the "no function import" change. Better safe...

Bash a bad fit for osx

[staalmannen]

What Apple does (keeping an ancient non-gpl3 version of bash as primary shell) seems to be the worst possible solution. There are several powerful shells with liberal licences that would fit osx better: zsh (very powerful, globbing and spelling correction), mksh (light and fast but still full of features) or perhaps for the easy-to-use philosophy: fish. Osx already diverges significantly from other *nixes (case-insensitive, binary format, ...) so keeping bash for legacy support sounds strange - and if important they could just make it an optional install like in most BSDs...

Re:Bash a bad fit for osx

Initial versions of OS X did come with zsh instead of bash, they only switched later (but before there was any talk of the GPLv3). They reason they switched was for compatibility, as many packages expect /bin/sh to be bash (yes, they're technically broken, but that doesn't help end users that want to use/compile them).

Re:Issue with FSF statement...

[cyber-vandal]

I don't see the full source for OS X on there funnily enough which was my point. Point me to the full source of Windows or Office or SQL Server.

Re:Ars Technica speculates?

[cryptizard]

What are you talking about? It is completely factual and a valid point. Apple currently bundles 3.2.51, which is licensed under GPLv2. The patched version of bash is the new 4.3.25, which is licensed using GPLv3. Including it would change the license they are using, which I imagine takes some consideration.

Probably good to give another 48 hours anyway

[raymorris]

Some systems should be patched asap, of course, and we've patched our most critical systems. However, the bash team is still working out the best way to do a comprehensive fix, one that takes care of related issues as well as the initial exploit. As of Friday evening Red Hat and upstream bash were headed in two different directions. We'll be waiting until probably Monday evening to patch most of our systems, even the bash team decides what they're going to do and that gets implemented in rpms. It's not unreasonable for most OSX users to take care of it Monday or so, especially since most Macs don't have a public facing internet presence.

If you're using OSX for an important public facing web server, you can update it today via configure; ./make; make install

Re:Probably good to give another 48 hours anyway

[ls671]

In the mean time, for those who care enough to already be running mod_security. All hits to our multiple web servers go through a mod_security reverse-proxy first:

## Bash attack

SecRule REQUEST_HEADERS "^\(\) {" \
"phase:1,deny,id:1000,t:urlDecode,status:403,log,msg:'CVE-2014-6271 - Bash Attack'"

SecRule REQUEST_LINE "\(\) {" \
"phase:1,deny,id:1001,status:403,log,msg:'CVE-2014-6271 - Bash Attack'"

SecRule ARGS_NAMES "^\(\) {" \
"phase:2,deny,id:1002,t:urlDecode,t:urlDecodeUni,status:403,log,msg:'CVE-2014-6271 - Bash Attack'"

SecRule ARGS "^\(\) {" \
"phase:2,deny,id:1003,t:urlDecode,t:urlDecodeUni,status:403,log,msg:'CVE-2014-6271 - Bash Attack'"

SecRule FILES_NAMES "^\(\) {" \
"phase:2,deny,id:1004,t:urlDecode,t:urlDecodeUni,status:403,log,msg:'CVE-2014-6271 - Bash Attack'"

## End bash attack

Re:Issue with FSF statement...

[Savage-Rabbit]

Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.

This comes across as scaremongering, as its a blanket statement professing the openness of bash compared specifically to Microsoft and Apple, while both those companies have huge collections of open source projects where I can do just what they are trumpeting with Bash and the GPL.

Its a perfect example of why blanket statements should be studied very carefully before being used, as it can just distort your perceived stance when people call you on the flaws of your statement.

Apple open sources large portions of their OS X operating system including, it seems, the version of BASH they include with it. Using that website I was able to download the source code for their VPN daemon (same one used on Linux), patch it, compile it and install it in on my mother's MacBook to allow her to connect to a Microsoft VPN server that was sending malformed greeting strings. With Aqua you are unfortunately out of luck since it is closed source. With Windows you are not just out of luck ayoure _shit_ out of luck since the whole thing is closed source, unless you are a major foreign government. They get the rare privilege of doing their own code reviews.

Re:Issue with FSF statement...

[lippydude]

@Richard_at_work: "I'd be interested to hear why the down modder thinks my points above are trolling"

Specifically what in your opinion is inaccurate about the following statement.

'Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.'

Microsoft contributes to certain open source projects while at the same time extorting revenue from Android handset makers under threats of litigation. As such its support of openness is suspect.

Re:Ars Technica speculates?

[gnasher719]

This is nothing more than anti GPL FUD. I mean how did Apple manage to originally bundle BASH without contaminating Mac OS X with the GPL 'viral' license. Shame on Ars Technica for spreading this FUD further. Since when has slashdot become a platform for spreading anti-GPL propaganda?

Excuse me, but there is no "anti GPL FUD" or "anti-GPL propaganda". Apple doesn't want to touch GPL 3 licensed code, and quite rightfully so.

Is it actually a bug at all?

[anynameleft]

Once upon a time, I learnt that one should not make setuid-root sh scripts, exactly because the shell has so many unpredictable ways to make your script unsecure and because secure input validation inside shell scripts itself is nearly impossible. So why do we have the situation now, that internet services are calling bash scripts to run as root with data input from the internet without proper validation?

In other words: It's no wonder that bash is still 'vulnerable' after two patches, because it isn't supposed to be used like this. And the remaining problems are not a bug in bash, but wrong usage of bash.

Re:Is it actually a bug at all?

[AqD]

It doesn't have to run as root. Even httpd user identity is powerful enough to call ps and check /tmp and all sorts of stuff for further discovery of vulnerability.

While an ideal system provide several layers of security and prevention mechanism against exploits, the average web application developers are either idiots who are completely ignorant of security-related issues (ex: SQL injection) or underpaid labors who just don't give a shit about it (I did that too, blame the customers I don't care), and their code at application-side plus ridiculous system setup could often nullify whatever protection you have in kernel/http-server, and magically enlarge every small bug into serious backdoor.

Re:Is it actually a bug at all?

[david_bonn]

I'd heartily agree with the above remarks.

To be honest, using bash for running scripts, especially on something public-facing like a web server, is just driven by laziness and stupidity. Most scripts would run perfectly fine on a lightweight shell without all of bash's features.

If you are talking an embedded system or even a dedicated server, I really don't understand why you'd want (or need) bash on your system at all. For that matter, for a lot of embedded systems I know there is no good reason to have a shell on your system, except possibly for testing or debuggery.

The cheapest, fastest, and most reliable components of any systems are the ones that aren't there. Oh, and the most secure as well.

Re: Issue with FSF statement...

[samkass]

It's true, Apple releases the full source code to the UNIX underlying MacOS X, including all the user land command line utilities and the OS kernel. You can rebuild them all.

So what is this article about?? Things are working exactly like FSF intended. Apple users can download the source to bash, patch it, and install it on their own machines. If people wait for the vendor to patch, what's the difference between it and closed source?

Forget Apple engineers, use NetBSD's patch

The smartest thing to do right now is to not expose a buggy 25-year-old parser to any random person on the internet. Just disable function importing from the environment by default and put it behind a flag.

Here is a BSD-licensed patch for it: http://seclists.org/oss-sec/20...

You're welcome.

MS patented "open", funky licenses

[raymorris]

> There can no be any 'suspect' in the 'openness' because they have agreed to the license

In some cases, such as document formats, they have patents that apply. The _copyright_ license means you're not violating their _copyright_ by using/modifying/distributing the code, or code that has a similar function, but you're still subject to theor patents, so they can still sue you for millions and billions of dollars. The only protection you have for this code (and any code that reads or writes their format) is an informal promise that as long as they don't mind what you're doing, this year they won't sue you. That's certainly suspect. They might not completely screw everyone who touches their code, but they've reserved the right to do so.

They also have a license which they call "open", but it sure doesn't read like any open source license before. "Hi, my name's Chelsea", their license purrs, with her adam's apple rising. Suspect.

Use Macports

[ugen]

Macports updated their version of bash. Get macports here, if you don't already have them, and install bash: https://www.macports.org/
Make sure to move their bash into /bin and remove original Mac binary.

Re:Issue with FSF statement...

[fnj]

Show us some OS source code or shut the hell up, shill.

OK, here's the full source to Apple's version of bash, and here is the source to the entire open part of OSX, including the XNU kernel.

Now YOU shut the fuck up, you clueless knuckle dragging cowardly fool,

Re:Issue with FSF statement...

[Richard_at_work]

The fact that its a blanket statement makes it inaccurate, when I can use and contribute to Katana, Kudu, Entity Framework, Asp.Net MVC, Helios, WebAPI, vNext and a host of other things on the MS side, or LLVM and others on the Apple side. Microsoft support of open source is the same as Gnu and FSF - they both support their own pet things and ignore hosts of other things.

Patent license revenue is entirely an aside to this and has fuck all to do with the point at hand. Just because you are an open source project doesn't make you above patent law.

Re: Issue with FSF statement...

An hour? Well, you probably learnt some things during that hour.

Now, I told a Mac-using colleague about shellshock on Thursday morning, told him what to type at the terminal to verify that his shell had the bug, went to get a cup of coffee, came back to my desk, and there he was already waiting to say, "There, I've patched it". And he had, too.

Re: Stackexchange has discussion on patching yours

Yes - I have a machine which I patched with this method. But then I created the question and answer as well as my blog at http://alblue.bandlem.com where I've been writing about it, and at http://www.infoq.com @alblue

Re:Ars Technica speculates?

[Richard_at_work]

So anyone not agreeing with your ideology is a sociopath? Don't you get the irony in that?

Re:Ars Technica speculates?

[jo_ham]

The version of Bash with the patch is v3, the version Apple uses is v2. They're perfectly happy to ship GPLv2 code (quite a bit of their codebase is GPL), but they have strenuously avoided GPLv3 where possible.

What is hard to understand about this?

That, plus the fact that the patches issued so far are not 100% effective is probably why there is no official patch from Apple yet (you are free to compile your own of course).

They have stated that they are working on it, so it will be forthcoming soon enough.

Re:Ars Technica speculates?

[jo_ham]

Ah, propaganda!

GPLv3: "code should be open and free, unless we decide that the freedom that a company chose was not the freedom we wanted them to choose!"

So, you think idea that you can do anything you want within the terms of the licence is a "loophole". Mhhmmm.

Oh, and let's not forget the idea that anyone who disagrees with your position is a sociopath.

What next? The test for sociopathic tendencies involves presenting a choice of OSS licences and if the subject picks anything other than GPLv3 they get branded a sociopath?

Re:Issue with FSF statement...

[ceoyoyo]

It's a stupid statement anyway. OS X is partly open source and partly closed. The bug is in the open source bit. So just download a patched version of bash, compile it, and install. Problem solved, just like you could do with any open source OS. People have even written a bunch of scripts to do the whole thing for you.

Re:Issue with FSF statement...

[ceoyoyo]

Open source is pretty IRRELEVANT to the average user. They want something that lets them run Word and look at Facebook. To anybody with the technical ability to make use of the source, the open parts of OS X are the important ones. Not having the source code to your window manager isn't the end of the world. For example, this situation - the vulnerability is in the open source part, so you can go ahead and patch it yourself.

Re:Issue with FSF statement...

[gnasher719]

OK, here's the full source to Apple's version of bash, and here is the source to the entire open part of OSX, including the XNU kernel.

Just noticed with surprise that linking to Apple open source code is apparently "flame bait".

Re:Ars Technica speculates?

[ceoyoyo]

The GPL v4:

You may not modify, distribute, publish, compile, share, view or in any other way make use of this source code without the express written permission of Richard M. Stallman. This is for the protection of your freedoms, comrade!

Re:Issue with FSF statement...

[tepples]

I don't see the full source for OS X

http://opensource.apple.com

I don't see anything related to Quartz or Cocoa on this page. So I don't see how this is full source.

Re:Issue with FSF statement...

[squiggleslash]

I suspect large numbers of people saw the bug, but didn't realize the implications and took no action knowing that the last thing you want to do with a programming language (which a shell like a bourne implementation implements) is change what constitutes valid code.

What does this mean? Unsure. It's always been bad practice to use system() or similar calls to start other apps. What this issue has revealed is not so much that bash has a bug in it, but that rather too many applications rely upon bash and shouldn't. Bash is always a vector, and writing code that calls it already means working a great deal on input validation exercises that risk failure.

The scary part is that a significant amount of the *ix community doesn't care - they call system() anyway, or blindly allow the shell environment to be modified, without asking themselves whether this is a good idea.

Re:Stackexchange has discussion on patching yourse

[armanox]

Confirmed that it works on Snow Leopard.

Re:Issue with FSF statement...

[smash]

So you are just writing off their contributions to webkit, CUPS, zeroconf, gcd, llvm, etc. Things that other operating systems and applications can and do benefit from?

Re:Ars Technica speculates?

[smash]

The amount of GPL code in OS X userland is exceedingly minimal. Most of it is from FreeBSD.

Re:Ars Technica speculates?

[kthreadd]

What are you talking about? It is completely factual and a valid point. Apple currently bundles 3.2.51, which is licensed under GPLv2. The patched version of bash is the new 4.3.25, which is licensed using GPLv3. Including it would change the license they are using, which I imagine takes some consideration.

Here are patches for Bash 3.2:

https://ftp.gnu.org/gnu/bash/b...
https://ftp.gnu.org/gnu/bash/b...

Re:Issue with FSF statement...

[Savage-Rabbit]

The difference between Savage Rabbits post and the FSFs statement is that the above post isn't a blanket one.

What is the FSF complaining about anyway? That Apple is hesitating to adopt their GPLv3 licensed version? Then Apple is a member of a large crowd that apparently includes Linus Torvalds who also has reservations about using GPLv3. Meanwhile Apple's version of BASH is freely downloadable and user modifiable which AFAIK is what the FSF wants. While it is certainly true that Apple should have quickly pushed a patch for this problem the FSF made a blanket statement that just isn't true.

Paging Dr. House

[ColdWetDog]

Dunno about the OP, but I've to, due to job, from time to time. It's a bit like jail, with soft, white round corners. It gives me the jeebies, and I'm always grateful to return to my Debian box (FVWM, by the way).

So yes, I have, and never enjoyed the experience.

---------
Ah, now we've got it:

Separation anxiety disorder of childhood

      F93.0 is a billable ICD-10-CM code that can be used to specify a diagnosis.

Clinical Information:

        Anxiety experienced by an individual upon separation from a person or object of particular significance to him.