Slashdot Mirror
Apple Yet To Push Patch For "Shellshock" Bug
An anonymous reader writes "Open source operating systems vulnerable to the Shellshock bug have already pushed two patches to fix the vulnerability, but Apple has yet to issue one for Mac OS X. Ars Technica speculates that licensing issues may be giving Apple pause: "[T]he current [bash] version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms....Apple executives may feel they have to have their own developers make modifications to the bash code.""
It's also worth noting that there are still flaws with the patches issued so far. Meanwhile, Fedora Magazine has published an easy-to-follow description of how Shellshock actually works. The Free Software Foundation has also issued a statement about Shellshock.
Is there anything I should add to my ~/.cshrc file to protect against this bug?
the gpl is doing its job of preventing commercial software from benefiting from it.
Stackexchange has a link for anyone who wants to patch their own servers... I've been following it here: http://apple.stackexchange.com... I doubt we'll see a patch from apple until the community agrees that they have a working patch... sounds like they keep going down the rabbit hole right now; keep finding more issues. I upgraded my Lion Server with the current "official" patches, and also the "no function import" change. Better safe...
Some systems should be patched asap, of course, and we've patched our most critical systems. However, the bash team is still working out the best way to do a comprehensive fix, one that takes care of related issues as well as the initial exploit. As of Friday evening Red Hat and upstream bash were headed in two different directions. We'll be waiting until probably Monday evening to patch most of our systems, even the bash team decides what they're going to do and that gets implemented in rpms. It's not unreasonable for most OSX users to take care of it Monday or so, especially since most Macs don't have a public facing internet presence.
If you're using OSX for an important public facing web server, you can update it today via configure; ./make; make install
This comes across as scaremongering, as its a blanket statement professing the openness of bash compared specifically to Microsoft and Apple, while both those companies have huge collections of open source projects where I can do just what they are trumpeting with Bash and the GPL.
Its a perfect example of why blanket statements should be studied very carefully before being used, as it can just distort your perceived stance when people call you on the flaws of your statement.
Apple open sources large portions of their OS X operating system including, it seems, the version of BASH they include with it. Using that website I was able to download the source code for their VPN daemon (same one used on Linux), patch it, compile it and install it in on my mother's MacBook to allow her to connect to a Microsoft VPN server that was sending malformed greeting strings. With Aqua you are unfortunately out of luck since it is closed source. With Windows you are not just out of luck ayoure _shit_ out of luck since the whole thing is closed source, unless you are a major foreign government. They get the rare privilege of doing their own code reviews.
Only to idiots, are orders laws.
-- Henning von Tresckow
@Richard_at_work: "I'd be interested to hear why the down modder thinks my points above are trolling"
Specifically what in your opinion is inaccurate about the following statement.
'Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.'
Microsoft contributes to certain open source projects while at the same time extorting revenue from Android handset makers under threats of litigation. As such its support of openness is suspect.
Initial versions of OS X did come with zsh instead of bash, they only switched later (but before there was any talk of the GPLv3). They reason they switched was for compatibility, as many packages expect /bin/sh to be bash (yes, they're technically broken, but that doesn't help end users that want to use/compile them).
Once upon a time, I learnt that one should not make setuid-root sh scripts, exactly because the shell has so many unpredictable ways to make your script unsecure and because secure input validation inside shell scripts itself is nearly impossible. So why do we have the situation now, that internet services are calling bash scripts to run as root with data input from the internet without proper validation?
In other words: It's no wonder that bash is still 'vulnerable' after two patches, because it isn't supposed to be used like this. And the remaining problems are not a bug in bash, but wrong usage of bash.
It's true, Apple releases the full source code to the UNIX underlying MacOS X, including all the user land command line utilities and the OS kernel. You can rebuild them all.
So what is this article about?? Things are working exactly like FSF intended. Apple users can download the source to bash, patch it, and install it on their own machines. If people wait for the vendor to patch, what's the difference between it and closed source?
E pluribus unum
The smartest thing to do right now is to not expose a buggy 25-year-old parser to any random person on the internet. Just disable function importing from the environment by default and put it behind a flag.
Here is a BSD-licensed patch for it: http://seclists.org/oss-sec/20...
You're welcome.
> There can no be any 'suspect' in the 'openness' because they have agreed to the license
In some cases, such as document formats, they have patents that apply. The _copyright_ license means you're not violating their _copyright_ by using/modifying/distributing the code, or code that has a similar function, but you're still subject to theor patents, so they can still sue you for millions and billions of dollars. The only protection you have for this code (and any code that reads or writes their format) is an informal promise that as long as they don't mind what you're doing, this year they won't sue you. That's certainly suspect. They might not completely screw everyone who touches their code, but they've reserved the right to do so.
They also have a license which they call "open", but it sure doesn't read like any open source license before. "Hi, my name's Chelsea", their license purrs, with her adam's apple rising. Suspect.
OK, here's the full source to Apple's version of bash, and here is the source to the entire open part of OSX, including the XNU kernel.
Now YOU shut the fuck up, you clueless knuckle dragging cowardly fool,
The version of Bash with the patch is v3, the version Apple uses is v2. They're perfectly happy to ship GPLv2 code (quite a bit of their codebase is GPL), but they have strenuously avoided GPLv3 where possible.
What is hard to understand about this?
That, plus the fact that the patches issued so far are not 100% effective is probably why there is no official patch from Apple yet (you are free to compile your own of course).
They have stated that they are working on it, so it will be forthcoming soon enough.
What are you talking about? It is completely factual and a valid point. Apple currently bundles 3.2.51, which is licensed under GPLv2. The patched version of bash is the new 4.3.25, which is licensed using GPLv3. Including it would change the license they are using, which I imagine takes some consideration.
Here are patches for Bash 3.2:
https://ftp.gnu.org/gnu/bash/b...
https://ftp.gnu.org/gnu/bash/b...