Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Yet To Push Patch For "Shellshock" Bug

Posted by timothy on from the everyone-has-their-reasons dept.

An anonymous reader writes "Open source operating systems vulnerable to the Shellshock bug have already pushed two patches to fix the vulnerability, but Apple has yet to issue one for Mac OS X. Ars Technica speculates that licensing issues may be giving Apple pause: "[T]he current [bash] version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms....Apple executives may feel they have to have their own developers make modifications to the bash code."" It's also worth noting that there are still flaws with the patches issued so far. Meanwhile, Fedora Magazine has published an easy-to-follow description of how Shellshock actually works. The Free Software Foundation has also issued a statement about Shellshock.

8 of 208 comments (clear)

  1. Re:~/.cshrc by oneiros27 · · Score: 5, Interesting

    Oh, you think you're kidding ... but the problem isn't just bash ... it's that Apple uses bash in place of sh.

    So most programs that shell out (php, perl, etc) are potentially vulnerable no matter what initial shell they were called from:

    csh< env x='() { :;}; echo vulnerable' perl -e 'system "echo test;"'
    vulnerable
    test
    csh>

    --
    Build it, and they will come^Hplain.
  2. Stackexchange has discussion on patching yourself by evandyke · · Score: 5, Informative

    Stackexchange has a link for anyone who wants to patch their own servers... I've been following it here: http://apple.stackexchange.com... I doubt we'll see a patch from apple until the community agrees that they have a working patch... sounds like they keep going down the rabbit hole right now; keep finding more issues. I upgraded my Lion Server with the current "official" patches, and also the "no function import" change. Better safe...

  3. Re:Issue with FSF statement... by lippydude · · Score: 5, Informative

    @Richard_at_work: "I'd be interested to hear why the down modder thinks my points above are trolling"

    Specifically what in your opinion is inaccurate about the following statement.

    'Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.'

    Microsoft contributes to certain open source projects while at the same time extorting revenue from Android handset makers under threats of litigation. As such its support of openness is suspect.

  4. Re:Bash a bad fit for osx by Anonymous Coward · · Score: 5, Informative

    Initial versions of OS X did come with zsh instead of bash, they only switched later (but before there was any talk of the GPLv3). They reason they switched was for compatibility, as many packages expect /bin/sh to be bash (yes, they're technically broken, but that doesn't help end users that want to use/compile them).

  5. Is it actually a bug at all? by anynameleft · · Score: 5, Insightful

    Once upon a time, I learnt that one should not make setuid-root sh scripts, exactly because the shell has so many unpredictable ways to make your script unsecure and because secure input validation inside shell scripts itself is nearly impossible. So why do we have the situation now, that internet services are calling bash scripts to run as root with data input from the internet without proper validation?

    In other words: It's no wonder that bash is still 'vulnerable' after two patches, because it isn't supposed to be used like this. And the remaining problems are not a bug in bash, but wrong usage of bash.

  6. Forget Apple engineers, use NetBSD's patch by Anonymous Coward · · Score: 5, Informative

    The smartest thing to do right now is to not expose a buggy 25-year-old parser to any random person on the internet. Just disable function importing from the environment by default and put it behind a flag.

    Here is a BSD-licensed patch for it: http://seclists.org/oss-sec/20...

    You're welcome.

  7. Re:Stallman would be proud by marcello_dl · · Score: 5, Insightful

    Moron: Yeah I wanna redistribute your software but not abide to the license it comes with it, because it's not freedom enough! I mean, give my source modification to everybody who asks? Avoid patenting and so effectively closing up the work you intended for the world? Why should I do that?

    Dev: how about you write your own damn code and license it as you please? And I suppose you are perfecly fine when your own licenses are being ignored?
     

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  8. Re:Ars Technica speculates? by kthreadd · · Score: 5, Informative

    What are you talking about? It is completely factual and a valid point. Apple currently bundles 3.2.51, which is licensed under GPLv2. The patched version of bash is the new 4.3.25, which is licensed using GPLv3. Including it would change the license they are using, which I imagine takes some consideration.

    Here are patches for Bash 3.2:

    https://ftp.gnu.org/gnu/bash/b...
    https://ftp.gnu.org/gnu/bash/b...