Bash bug: apply the unofficial patch now (CVE-2014-6277)

For Mac OS X, until Apple releases a software update, I&#x27;ve applied the original CVE-2014-6271 (shellshock) patch and the CVE-2014-7169 patch. I will be applying Florian&#x27;s patch once it or a similar patch come out for 3.2.<p>Repository and instructions to reproduce without trusting me are located here: <a href="https://github.com/ido/macosx-bash-92-shellshock-patched" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ido&#x2F;macosx-bash-92-shellshock-patched</a><p>Binary releases are here: <a href="https://github.com/ido/macosx-bash-92-shellshock-patched/releases" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ido&#x2F;macosx-bash-92-shellshock-patched&#x2F;rel...</a> ...including a .pkg file that can be installed with a double-click.<p>Instruction here: <a href="https://github.com/ido/macosx-bash-92-shellshock-patched/blob/master/README.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ido&#x2F;macosx-bash-92-shellshock-patched&#x2F;blo...</a><p>Pull requests are welcome, especially if you&#x27;ve modified Florian&#x27;s patch to apply cleanly on 3.2, which is my next task.

Looks like it&#x27;s in Ubuntu&#x27;s build:<p><pre><code> $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 12.04.3 LTS Release: 12.04 Codename: precise $ dpkg -l bash | tail -1 ii bash 4.2-2ubuntu2.5 GNU Bourne Again SHell $ foo() { echo foo; } $ export -f foo $ env | grep BASH_FUNC BASH_FUNC_foo()=() { echo foo </code></pre> Is this a correct test?<p>Probably as of about 13:27 UTC yesterday, if I&#x27;m reading correctly here: <a href="https://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/bash/precise-security/revision/64" rel="nofollow">https:&#x2F;&#x2F;bazaar.launchpad.net&#x2F;~ubuntu-branches&#x2F;ubuntu&#x2F;precise...</a>

Given that Florian is the guy making the decisions on the RHEL bash package updates, I suspect this patch is already in the latest RHEL&#x2F;CentOS&#x2F;Scientific Linux bash package (the one that came out early yesterday, soon after the patch was posted to the oss-sec list).<p>Edit: Confirmed in this bugzilla ticket comment <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c51" rel="nofollow">https:&#x2F;&#x2F;bugzilla.redhat.com&#x2F;show_bug.cgi?id=1141597#c51</a>

ASLR is another one of the nice things about dash compared to bash in Debian:<p><pre><code> $ hardening-check &#x2F;bin&#x2F;dash &#x2F;bin&#x2F;bash &#x2F;bin&#x2F;dash: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes &#x2F;bin&#x2F;bash: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found!</code></pre>

As an alternative, make sure that &#x2F;bin&#x2F;sh is set to something other than bash. In Debian and Ubuntu it is already set to dash by default.<p>(There&#x27;s no guarantee that dash doesn&#x27;t have similar problems, but at least the surface area is smaller.)

I&#x27;m impressed by Florian. Not only is his turnaround time quick when people finds faults in what has been his baby for quite a few years now, he immediately recognizes real issues from the contant stream of non-issues being reported.<p>Everyone would think this is the way we would react, but in reality most people go out of their way to prove that these issues are not exploitable first. He spots them straight away with no pride to get in the way. Very professional.

here is someone&#x27;s github that has some sample tests:<p><a href="https://github.com/hannob/bashcheck" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;hannob&#x2F;bashcheck</a>

In case the site goes down or something, here&#x27;s a check to see if you&#x27;re vulnerable:<p><pre><code> foo=&#x27;() { echo not patched; }&#x27; bash -c foo</code></pre>

For homebrew:<p><pre><code> cd $(brew --repository) git remote add krishicks git@github.com:krishicks&#x2F;homebrew.git git fetch krishicks bash git checkout krishicks&#x2F;bash brew upgrade bash </code></pre> I&#x27;ve opened a PR: <a href="https://github.com/Homebrew/homebrew/pull/32753" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Homebrew&#x2F;homebrew&#x2F;pull&#x2F;32753</a>

Thank you God for Florian Weimer! Now that reason has prevailed over this insanity [1][2] I can sleep well again.<p>1. <a href="https://news.ycombinator.com/item?id=8368272" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=8368272</a> 2. <a href="https://news.ycombinator.com/item?id=8368676" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=8368676</a>

Does this unofficial patch work with a source code compile of bash 4.3 and patches 001 to 026? (Does this patch work on 4.3? Does this patch need to go on top of 025 and 026, or do I need to omit 025 and 026, or some other approach?) Thanks for advice -- much appreciated!

Must say I&#x27;m rather hesitant to recompile it myself with some code someone suggests will &quot;harden&quot; it somehow. If it&#x27;s a good patch, why wouldn&#x27;t it be included in the repositories? Or will it, but it probably takes a few days?<p>Edit: To clarify, after recompiling I would need to manually update it in the future (or switch back to the repositories once they include it). Applying this patch is not a apply-and-forget action. I don&#x27;t really see the value of applying it myself, especially when I don&#x27;t connect to public&#x2F;company&#x2F;school networks during the weekend.

I have a proposal. As an alternative to #!&#x2F;bin&#x2F;program I propose that<p><pre><code> #!program </code></pre> is executed by using a program at a known location (or perhaps by following a system defined internal `PATH`) with a system cleaned or defined environment (e.g. PATH=&#x2F;bin:&#x2F;usr&#x2F;bin and a TERM matching [a-zA-Z0-9-]+<p>This would fix a lot of this shellshock nonsense and also be a better alternative to the #!&#x2F;bin&#x2F;env hack for finding programs at different locations on different systems.<p>Programs should use args for communicating.<p>Extended syntax for programs to declare that they really need certain environment variables:<p><pre><code> #!program env=WHITELIST OF ENV VARS ALLOWED</code></pre>