Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Yet To Push Patch For "Shellshock" Bug

Posted by timothy on from the everyone-has-their-reasons dept.

An anonymous reader writes "Open source operating systems vulnerable to the Shellshock bug have already pushed two patches to fix the vulnerability, but Apple has yet to issue one for Mac OS X. Ars Technica speculates that licensing issues may be giving Apple pause: "[T]he current [bash] version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms....Apple executives may feel they have to have their own developers make modifications to the bash code."" It's also worth noting that there are still flaws with the patches issued so far. Meanwhile, Fedora Magazine has published an easy-to-follow description of how Shellshock actually works. The Free Software Foundation has also issued a statement about Shellshock.

25 of 208 comments (clear)

  1. ~/.cshrc by Bing+Tsher+E · · Score: 4, Funny

    Is there anything I should add to my ~/.cshrc file to protect against this bug?

    1. Re:~/.cshrc by oneiros27 · · Score: 5, Interesting

      Oh, you think you're kidding ... but the problem isn't just bash ... it's that Apple uses bash in place of sh.

      So most programs that shell out (php, perl, etc) are potentially vulnerable no matter what initial shell they were called from:

      csh< env x='() { :;}; echo vulnerable' perl -e 'system "echo test;"'
      vulnerable
      test
      csh>

      --
      Build it, and they will come^Hplain.
    2. Re:~/.cshrc by fnj · · Score: 4, Interesting

      Rename /bin/bash to /bin/bash.bak then create a link [cyberciti.biz] from /bin/dash to /bin/bash ..

      And get ready for a whole lot of scripts failing. Scripts that start with #!/bin/sh but are written dependant on bash features will fail. Scripts that start with #!/bin/bash on the other hand will just fail to start. You'll have a busted-ass system, but at least it won't be attacked.

      Now if you were running debian or ubuntu /bin/sh would already be a link to /bin/dash, and there wouldn't be any screwed up scripts because the design of the file layout was made by people who weren't brain dead.

    3. Re:~/.cshrc by Kiwikwi · · Score: 3, Interesting

      It really has nothing to do with the default shell. It won't matter what shell is the default when your CGI script starts with #!/bin/bash.

      No, no, no, no... People really don't get the scope of this.

      It doesn't matter what the default user shell is, or what language a CGI script is written in. Bash is the most common system shell, which means it's invoked all the time when other programs run commands.

      Obviously, I can't know this, but OP is probably not using csh as his system shell, because that's not POSIX compliant and would cause major breakage.

      If /bin/sh is Bash, you're vulnerable, no matter what shell you're using yourself, or what language your CGI script is written in.

      Also, CGI scripts is only the most obvious attack vector; others that have been identified so far are the CUPS printing daemon, the ISC DHCP client and locked down SSH shells like those commonly used to host Git repositories. But there are without doubt many more. The only safe thing to do is to upgrade or remove Bash from your system immediately.

  2. Stallman would be proud by Anonymous Coward · · Score: 4, Insightful

    the gpl is doing its job of preventing commercial software from benefiting from it.

    1. Re: Stallman would be proud by frikken+lazerz · · Score: 3, Insightful

      Stallman is batshit insane though, and doesn't even come close to representing the average FOSS user. That would be like thinking all liberals are like Michael Moore or all conservatives are like Rush Limbaugh. The average FOSS advocate just wants his software to work. He prefers FOSS because it is more secure and has the user's interests in mind, unlike software like iTunes that tries to sell users stuff or Chrome that tracks you and sells your data to the highest bidder. The average FOSS user doesn't care if there are binary blobs and doesn't mind using Adobe's Flash because it's way better than any of the open alternatives. This is also the reason Ubuntu and Mint are so popular, not GNUSense or whatever other totally free alternative he recommends. Tl;dr, Stallman shouldn't and represent the FOSS community, and although his ideas might be good in principle, the average user just wants his software to work on par or better than what he used to use on Windows.

    2. Re:Stallman would be proud by marcello_dl · · Score: 5, Insightful

      Moron: Yeah I wanna redistribute your software but not abide to the license it comes with it, because it's not freedom enough! I mean, give my source modification to everybody who asks? Avoid patenting and so effectively closing up the work you intended for the world? Why should I do that?

      Dev: how about you write your own damn code and license it as you please? And I suppose you are perfecly fine when your own licenses are being ignored?
       

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  3. Stackexchange has discussion on patching yourself by evandyke · · Score: 5, Informative

    Stackexchange has a link for anyone who wants to patch their own servers... I've been following it here: http://apple.stackexchange.com... I doubt we'll see a patch from apple until the community agrees that they have a working patch... sounds like they keep going down the rabbit hole right now; keep finding more issues. I upgraded my Lion Server with the current "official" patches, and also the "no function import" change. Better safe...

  4. Re:Ars Technica speculates? by cryptizard · · Score: 3, Informative

    What are you talking about? It is completely factual and a valid point. Apple currently bundles 3.2.51, which is licensed under GPLv2. The patched version of bash is the new 4.3.25, which is licensed using GPLv3. Including it would change the license they are using, which I imagine takes some consideration.

  5. Probably good to give another 48 hours anyway by raymorris · · Score: 4, Insightful

    Some systems should be patched asap, of course, and we've patched our most critical systems. However, the bash team is still working out the best way to do a comprehensive fix, one that takes care of related issues as well as the initial exploit. As of Friday evening Red Hat and upstream bash were headed in two different directions. We'll be waiting until probably Monday evening to patch most of our systems, even the bash team decides what they're going to do and that gets implemented in rpms. It's not unreasonable for most OSX users to take care of it Monday or so, especially since most Macs don't have a public facing internet presence.

    If you're using OSX for an important public facing web server, you can update it today via configure; ./make; make install

  6. Re:Issue with FSF statement... by Savage-Rabbit · · Score: 4, Informative

    Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.

    This comes across as scaremongering, as its a blanket statement professing the openness of bash compared specifically to Microsoft and Apple, while both those companies have huge collections of open source projects where I can do just what they are trumpeting with Bash and the GPL.

    Its a perfect example of why blanket statements should be studied very carefully before being used, as it can just distort your perceived stance when people call you on the flaws of your statement.

    Apple open sources large portions of their OS X operating system including, it seems, the version of BASH they include with it. Using that website I was able to download the source code for their VPN daemon (same one used on Linux), patch it, compile it and install it in on my mother's MacBook to allow her to connect to a Microsoft VPN server that was sending malformed greeting strings. With Aqua you are unfortunately out of luck since it is closed source. With Windows you are not just out of luck ayoure _shit_ out of luck since the whole thing is closed source, unless you are a major foreign government. They get the rare privilege of doing their own code reviews.

    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
  7. Re:Issue with FSF statement... by lippydude · · Score: 5, Informative

    @Richard_at_work: "I'd be interested to hear why the down modder thinks my points above are trolling"

    Specifically what in your opinion is inaccurate about the following statement.

    'Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.'

    Microsoft contributes to certain open source projects while at the same time extorting revenue from Android handset makers under threats of litigation. As such its support of openness is suspect.

  8. Re:Bash a bad fit for osx by Anonymous Coward · · Score: 5, Informative

    Initial versions of OS X did come with zsh instead of bash, they only switched later (but before there was any talk of the GPLv3). They reason they switched was for compatibility, as many packages expect /bin/sh to be bash (yes, they're technically broken, but that doesn't help end users that want to use/compile them).

  9. Is it actually a bug at all? by anynameleft · · Score: 5, Insightful

    Once upon a time, I learnt that one should not make setuid-root sh scripts, exactly because the shell has so many unpredictable ways to make your script unsecure and because secure input validation inside shell scripts itself is nearly impossible. So why do we have the situation now, that internet services are calling bash scripts to run as root with data input from the internet without proper validation?

    In other words: It's no wonder that bash is still 'vulnerable' after two patches, because it isn't supposed to be used like this. And the remaining problems are not a bug in bash, but wrong usage of bash.

  10. Re: Issue with FSF statement... by samkass · · Score: 4, Insightful

    It's true, Apple releases the full source code to the UNIX underlying MacOS X, including all the user land command line utilities and the OS kernel. You can rebuild them all.

    So what is this article about?? Things are working exactly like FSF intended. Apple users can download the source to bash, patch it, and install it on their own machines. If people wait for the vendor to patch, what's the difference between it and closed source?

    --
    E pluribus unum
  11. Forget Apple engineers, use NetBSD's patch by Anonymous Coward · · Score: 5, Informative

    The smartest thing to do right now is to not expose a buggy 25-year-old parser to any random person on the internet. Just disable function importing from the environment by default and put it behind a flag.

    Here is a BSD-licensed patch for it: http://seclists.org/oss-sec/20...

    You're welcome.

  12. MS patented "open", funky licenses by raymorris · · Score: 4, Insightful

    > There can no be any 'suspect' in the 'openness' because they have agreed to the license

    In some cases, such as document formats, they have patents that apply. The _copyright_ license means you're not violating their _copyright_ by using/modifying/distributing the code, or code that has a similar function, but you're still subject to theor patents, so they can still sue you for millions and billions of dollars. The only protection you have for this code (and any code that reads or writes their format) is an informal promise that as long as they don't mind what you're doing, this year they won't sue you. That's certainly suspect. They might not completely screw everyone who touches their code, but they've reserved the right to do so.

    They also have a license which they call "open", but it sure doesn't read like any open source license before. "Hi, my name's Chelsea", their license purrs, with her adam's apple rising. Suspect.

  13. Use Macports by ugen · · Score: 3, Insightful

    Macports updated their version of bash. Get macports here, if you don't already have them, and install bash: https://www.macports.org/
    Make sure to move their bash into /bin and remove original Mac binary.

  14. Re:Issue with FSF statement... by fnj · · Score: 4, Informative

    Show us some OS source code or shut the hell up, shill.

    OK, here's the full source to Apple's version of bash, and here is the source to the entire open part of OSX, including the XNU kernel.

    Now YOU shut the fuck up, you clueless knuckle dragging cowardly fool,

  15. Re:Issue with FSF statement... by Richard_at_work · · Score: 3, Insightful

    The fact that its a blanket statement makes it inaccurate, when I can use and contribute to Katana, Kudu, Entity Framework, Asp.Net MVC, Helios, WebAPI, vNext and a host of other things on the MS side, or LLVM and others on the Apple side. Microsoft support of open source is the same as Gnu and FSF - they both support their own pet things and ignore hosts of other things.

    Patent license revenue is entirely an aside to this and has fuck all to do with the point at hand. Just because you are an open source project doesn't make you above patent law.

  16. Re: Stackexchange has discussion on patching yours by Anonymous Coward · · Score: 3, Informative

    Yes - I have a machine which I patched with this method. But then I created the question and answer as well as my blog at http://alblue.bandlem.com where I've been writing about it, and at http://www.infoq.com @alblue

  17. Re:Ars Technica speculates? by jo_ham · · Score: 4, Informative

    The version of Bash with the patch is v3, the version Apple uses is v2. They're perfectly happy to ship GPLv2 code (quite a bit of their codebase is GPL), but they have strenuously avoided GPLv3 where possible.

    What is hard to understand about this?

    That, plus the fact that the patches issued so far are not 100% effective is probably why there is no official patch from Apple yet (you are free to compile your own of course).

    They have stated that they are working on it, so it will be forthcoming soon enough.

  18. Re:Issue with FSF statement... by gnasher719 · · Score: 3, Informative

    OK, here's the full source to Apple's version of bash, and here is the source to the entire open part of OSX, including the XNU kernel.

    Just noticed with surprise that linking to Apple open source code is apparently "flame bait".

  19. Re:Ars Technica speculates? by ceoyoyo · · Score: 3, Funny

    The GPL v4:

    You may not modify, distribute, publish, compile, share, view or in any other way make use of this source code without the express written permission of Richard M. Stallman. This is for the protection of your freedoms, comrade!

  20. Re:Ars Technica speculates? by kthreadd · · Score: 5, Informative

    What are you talking about? It is completely factual and a valid point. Apple currently bundles 3.2.51, which is licensed under GPLv2. The patched version of bash is the new 4.3.25, which is licensed using GPLv3. Including it would change the license they are using, which I imagine takes some consideration.

    Here are patches for Bash 3.2:

    https://ftp.gnu.org/gnu/bash/b...
    https://ftp.gnu.org/gnu/bash/b...