Updating OS X to fix the bash bug

As you may have heard, a critical security bug in bash was recently found.[1] Both OS X 10.9 and 10.10 are affected. You can check if you are by running this snippet:

$ X='() { x; }; echo vulnerable' bash -c ''

If you see 'vulnerable' in the output, you need to be patched.

While Apple has yet to release a patch, you may be anxious to fix this in your fleet. Here's how:

0) Install Xcode

1) Dowload the bash source code from Apple's OpenSource repository[2]:
$ curl -O https://opensource.apple.com/tarballs/bash/bash-92.tar.gz

2) Dowload the bash 3.2 patch from gnu.org:
$ curl -O https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052

3) Expand the bash source:
$ tar xzf bash-92.tar.gz

4) Apply the patch:
# Apply patch in the bash-92/bash-3.2 directory
$ cd bash-92/bash-3.2
$ patch -p0 <../../bash32-052
patching file builtins/common.h
patching file builtins/evalstring.c
patching file variables.c
patching file patchlevel.h

5) Build the patched version:
# Build from the bash-92 directory
$ cd ..
$ xcodebuild

6) Test the new shell:
$ X='() { x; }; echo vulnerable' ./build/Release/bash -c ''
./build/Release/bash: warning: X: ignoring function definition attempt
./build/Release/bash: error importing function definition for `X'

7) Use your configuration management (puppet, chef, Casper) or package management (munki, Casper) to deploy both the new bash and sh.


N.B.: This first official patch doesn't mitigate every problem with the code, so keep up-to-date with discussions about it.

Short URL to this post:
http://goo.gl/NPkiL9

[1] Lots of sources:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-627
http://seclists.org/oss-sec/2014/q3/650
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

[2] http://www.opensource.apple.com/release/os-x-1094/