Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Bug GNU is Not Unix Security Apple Linux

Apple Yet To Push Patch For "Shellshock" Bug 208

An anonymous reader writes "Open source operating systems vulnerable to the Shellshock bug have already pushed two patches to fix the vulnerability, but Apple has yet to issue one for Mac OS X. Ars Technica speculates that licensing issues may be giving Apple pause: "[T]he current [bash] version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms....Apple executives may feel they have to have their own developers make modifications to the bash code."" It's also worth noting that there are still flaws with the patches issued so far. Meanwhile, Fedora Magazine has published an easy-to-follow description of how Shellshock actually works. The Free Software Foundation has also issued a statement about Shellshock.
This discussion has been archived. No new comments can be posted.

Apple Yet To Push Patch For "Shellshock" Bug

Comments Filter:
  • ~/.cshrc (Score:4, Funny)

    by Bing Tsher E ( 943915 ) on Saturday September 27, 2014 @07:31AM (#48008475) Journal

    Is there anything I should add to my ~/.cshrc file to protect against this bug?

    • Re:~/.cshrc (Score:5, Interesting)

      by oneiros27 ( 46144 ) on Saturday September 27, 2014 @07:35AM (#48008495) Homepage

      Oh, you think you're kidding ... but the problem isn't just bash ... it's that Apple uses bash in place of sh.

      So most programs that shell out (php, perl, etc) are potentially vulnerable no matter what initial shell they were called from:

      csh< env x='() { :;}; echo vulnerable' perl -e 'system "echo test;"'
      vulnerable
      test
      csh>

      • Posting to undo accidental moderation, darn tremor.
      • "Oh, you think you're kidding ... but the problem isn't just bash ... it's that Apple uses bash in place of sh."

        A long time ago I used a non-Intel version of MacOSX that had tcsh as the default shell. So the parent might not be joking if .cshrc was part of the tcsh installation (tcsh has its own config .tcshrc but also reads .cshrc). If that's the case, well, none of the c-shells suffer from this bug. I wonder why Apple made the change. tcsh is BSD licensed as it's (or was) the default NetBSD (FreeBSD?) she

        • It really has nothing to do with the default shell. It won't matter what shell is the default when your CGI script starts with #!/bin/bash.

          • Re:~/.cshrc (Score:4, Interesting)

            by Kiwikwi ( 2734467 ) on Sunday September 28, 2014 @03:40AM (#48012793)

            It really has nothing to do with the default shell. It won't matter what shell is the default when your CGI script starts with #!/bin/bash.

            No, no, no, no... People really don't get the scope of this.

            It doesn't matter what the default user shell is, or what language a CGI script is written in. Bash is the most common system shell, which means it's invoked all the time when other programs run commands.

            Obviously, I can't know this, but OP is probably not using csh as his system shell, because that's not POSIX compliant and would cause major breakage.

            If /bin/sh is Bash, you're vulnerable, no matter what shell you're using yourself, or what language your CGI script is written in.

            Also, CGI scripts is only the most obvious attack vector; others that have been identified so far are the CUPS printing daemon, the ISC DHCP client and locked down SSH shells like those commonly used to host Git repositories. But there are without doubt many more. The only safe thing to do is to upgrade or remove Bash from your system immediately.

      • by smash ( 1351 )
        Linux also uses bash in place of sh in most distributions. Linux also uses a dhcp daemon which is vulnerable to being used to exploit this bash bug. OS X does not.
    • Re: (Score:2, Funny)

      by koan ( 80826 )

      Yeah a better operating system than OSX.

      • OSX is my favorite, second to Linux. But honestly, it's isn't that close.

  • by Anonymous Coward on Saturday September 27, 2014 @07:31AM (#48008477)

    the gpl is doing its job of preventing commercial software from benefiting from it.

    • Stallman is batshit insane though, and doesn't even come close to representing the average FOSS user. That would be like thinking all liberals are like Michael Moore or all conservatives are like Rush Limbaugh. The average FOSS advocate just wants his software to work. He prefers FOSS because it is more secure and has the user's interests in mind, unlike software like iTunes that tries to sell users stuff or Chrome that tracks you and sells your data to the highest bidder. The average FOSS user doesn't car
      • "more secure?" Have you been paying attention?

        As for having the "users interest" in mind, I'm not so sure about that either. Commercial software has a whole different idea of what the user's interest is. Apple and Microsoft think it's what the user is willing to pay for. That view is not entirely wrong. Google thinks that the user's interest is whatever the user expresses any interest in.

        None of them are very prone to thinking about what is in the user's BEST interest. I think they don't feel entirely

        • Apple isn't into commercial software.

          They make their $$$ off the hardware that is handsomely marked up.

          But thanks for trying!

          Oh, and Google ... ha! ... well ... Stanford pledged to not do privacy research with Google grant money, so you can read between the lines. Google's interest aren't the same as the "user's best interest" if it conflicts with advertising or privacy.

          You have potential, young Skywalker, but your comments clearly prove a Jedi, you are not.

          But you will be someday ...
          • Apple isn't into commercial software.
            They make their $$$ off the hardware that is handsomely marked up.

            What do you call Aperture, Logic Pro, Final Cut, Mainstage, Compressor and Motion?
            What's the difference between a Mac and a PC if it's not commercial software?
            What's the difference between an iPhone and an Android phone if it's not commercial software?
            What is Mac OS and all the apps that come with it if not commercial software?

            You seem confused about what it is that differentiates Apple's products.

          • You have potential, young Skywalker, but your comments clearly prove a Jedi, you are not.

            You're right. I'm not a member of your religion.

            But you will be someday ...

            Don't hold your breath

        • by JSG ( 82708 )

          Bollocks.

          MS famously invented the notion of "a best practice". Unfortunately they seem incapable of following good practice in many areas. The other vendors you mention also have similar foibles regarding what's best for you.

          Now the FOSS community is just that - a community filled with opinions, advice and a fair old software output.

          Each product stands on its own. You pays your money ...

          Cheers
          Jon

    • by marcello_dl ( 667940 ) on Saturday September 27, 2014 @10:42AM (#48009107) Homepage Journal

      Moron: Yeah I wanna redistribute your software but not abide to the license it comes with it, because it's not freedom enough! I mean, give my source modification to everybody who asks? Avoid patenting and so effectively closing up the work you intended for the world? Why should I do that?

      Dev: how about you write your own damn code and license it as you please? And I suppose you are perfecly fine when your own licenses are being ignored?
       

    • I'm sure that Apple, with $160 B in the bank, and developers writing entirely new programming languages like Swift are betwixt --- just betwixt!!! --- at the things the open source community can write in code that they can't figure out!!

      Maybe some day Apple will smarten up and move to next to Stanford and Berkeley so they can buy some coding talent and be able to patch these kinds of things.

      Until then, they will be at the mercy of the GPL v3.

      [Either that or how the hell can this even be exploited on a Ma
      • Partial output from running "man bash" on my Mac:

        COPYRIGHT
                      Bash is Copyright (C) 1989-2005 by the Free Software Foundation, Inc.

        By the way, betwixt means between.

      • Actually, Apple uses an old version based on Bash 3.2 which is under GPLv2. Not really a problem, patches exist for as old as Bash 2.0.

    • by smash ( 1351 )
      Well.... not really. All i've had to do is ensure I am not running apache or open ssh on my macs. I'm not. Meanwhile anyone running Linux with dhcpd is vulnerable until they fix bash. On my FreeBSD servers I just uninstalled bash. Job done. This bug was fixed in sh about 30 years ago apparently according to twitter.
  • Aren't there shellshock patches available for the non-GPL 3'd versions of bash?

    • Redhat has patched the bug right down to RHEL 4, which has bash 3.0 which is even lower than Apple's bash version:

      https://access.redhat.com/arti... [redhat.com]

      Since it's GPL I suppose Redhat has already released the source code for their GPL-2 bash versions at the same time as the installable binary updates?

  • by evandyke ( 640670 ) on Saturday September 27, 2014 @07:49AM (#48008535)
    Stackexchange has a link for anyone who wants to patch their own servers... I've been following it here: http://apple.stackexchange.com... [stackexchange.com] I doubt we'll see a patch from apple until the community agrees that they have a working patch... sounds like they keep going down the rabbit hole right now; keep finding more issues. I upgraded my Lion Server with the current "official" patches, and also the "no function import" change. Better safe...
  • by staalmannen ( 1705340 ) on Saturday September 27, 2014 @07:58AM (#48008575)
    What Apple does (keeping an ancient non-gpl3 version of bash as primary shell) seems to be the worst possible solution. There are several powerful shells with liberal licences that would fit osx better: zsh (very powerful, globbing and spelling correction), mksh (light and fast but still full of features) or perhaps for the easy-to-use philosophy: fish. Osx already diverges significantly from other *nixes (case-insensitive, binary format, ...) so keeping bash for legacy support sounds strange - and if important they could just make it an optional install like in most BSDs...
    • by Anonymous Coward on Saturday September 27, 2014 @08:14AM (#48008619)

      Initial versions of OS X did come with zsh instead of bash, they only switched later (but before there was any talk of the GPLv3). They reason they switched was for compatibility, as many packages expect /bin/sh to be bash (yes, they're technically broken, but that doesn't help end users that want to use/compile them).

      • by Trepidity ( 597 )

        That's getting less common since Debian and Ubuntu no longer have bash as /bin/sh. There are still packages that expect that, but they now don't work on Debian, Ubuntu, or the BSDs, which starts to make it more likely the authors will care about fixing them.

    • by smash ( 1351 )
      I suspect the only reason apple currently uses bash as the default shell (it used to be plain sh from memory or csh) is that it makes it friendly to Linux users.
  • by raymorris ( 2726007 ) on Saturday September 27, 2014 @08:02AM (#48008587) Journal

    Some systems should be patched asap, of course, and we've patched our most critical systems. However, the bash team is still working out the best way to do a comprehensive fix, one that takes care of related issues as well as the initial exploit. As of Friday evening Red Hat and upstream bash were headed in two different directions. We'll be waiting until probably Monday evening to patch most of our systems, even the bash team decides what they're going to do and that gets implemented in rpms. It's not unreasonable for most OSX users to take care of it Monday or so, especially since most Macs don't have a public facing internet presence.

    If you're using OSX for an important public facing web server, you can update it today via configure; ./make; make install

    • by ls671 ( 1122017 )

      In the mean time, for those who care enough to already be running mod_security. All hits to our multiple web servers go through a mod_security reverse-proxy first:

      ## Bash attack

      SecRule REQUEST_HEADERS "^\(\) {" \
      "phase:1,deny,id:1000,t:urlDecode,status:403,log,msg:'CVE-2014-6271 - Bash Attack'"

      SecRule REQUEST_LINE "\(\) {" \
      "phase:1,deny,id:1001,status:403,log,msg:'CVE-2014-6271 - Bash Attack'"

      SecRule ARGS_NAMES "^\(\) {" \
      "phase:2,deny,id:1002,t:urlDecode,t:urlDecodeUni,status:403,log,msg:'CVE-2014-6271 -

  • by anynameleft ( 787817 ) on Saturday September 27, 2014 @08:24AM (#48008651)

    Once upon a time, I learnt that one should not make setuid-root sh scripts, exactly because the shell has so many unpredictable ways to make your script unsecure and because secure input validation inside shell scripts itself is nearly impossible. So why do we have the situation now, that internet services are calling bash scripts to run as root with data input from the internet without proper validation?

    In other words: It's no wonder that bash is still 'vulnerable' after two patches, because it isn't supposed to be used like this. And the remaining problems are not a bug in bash, but wrong usage of bash.

    • So why do we have the situation now, that internet services are calling bash scripts to run as root with data input from the internet without proper validation?

      Because everyone forgot how insecure unix-likes were when windows joined the internet.

      Take a look at the old CERT advisories and you will see exploit after exploit specifically via command-line shenanigans.

      • Because nobody remembers the days when UNIX was just as 'keep security out of the way of the user' as Windows was. Nobody remembers the good old days of sendmail happily handing root access for the asking. 'wizard', 'debug', etc. Nobody remembers that UNIX is 'MULTICS with most of the security stripped out.' UNIX as in eunuchs as in a castrated version of MULTICS.
        • At least. I remember the original "Morris worm" which took advantage of default setups that were wildly insecure by any modern standard.

    • Yes, it is a bug. The shell shouldn't be evaluating expressions inside a quoted (or unterminated for that matter) string.

      • The whole idea of inspecting the contents of arbitrary variables is a bug. Variables can contain any data the user chooses, and the fact that it happens to look like a function definition is none of the shell's business. Bash should have defined a single variable for the purpose in which all the function definitions are packaged up, or at least have defined a class of variables (e.g. BASH_FUNCTION_*) for the purpose.

    • by AqD ( 1885732 )

      It doesn't have to run as root. Even httpd user identity is powerful enough to call ps and check /tmp and all sorts of stuff for further discovery of vulnerability.

      While an ideal system provide several layers of security and prevention mechanism against exploits, the average web application developers are either idiots who are completely ignorant of security-related issues (ex: SQL injection) or underpaid labors who just don't give a shit about it (I did that too, blame the customers I don't care), and thei

    • I'd heartily agree with the above remarks.

      To be honest, using bash for running scripts, especially on something public-facing like a web server, is just driven by laziness and stupidity. Most scripts would run perfectly fine on a lightweight shell without all of bash's features.

      If you are talking an embedded system or even a dedicated server, I really don't understand why you'd want (or need) bash on your system at all. For that matter, for a lot of embedded systems I know there is no good reason to have a

  • by Anonymous Coward on Saturday September 27, 2014 @08:33AM (#48008677)

    The smartest thing to do right now is to not expose a buggy 25-year-old parser to any random person on the internet. Just disable function importing from the environment by default and put it behind a flag.

    Here is a BSD-licensed patch for it: http://seclists.org/oss-sec/20... [seclists.org]

    You're welcome.

  • Use Macports (Score:4, Insightful)

    by ugen ( 93902 ) on Saturday September 27, 2014 @09:07AM (#48008775)

    Macports updated their version of bash. Get macports here, if you don't already have them, and install bash: https://www.macports.org/
    Make sure to move their bash into /bin and remove original Mac binary.

    • by _xeno_ ( 155264 )

      Also make sure to remove /bin/sh, because (at least on my Mac, and I'm fairly certain I haven't screwed around with /bin) rather than have /bin/sh be a symlink or a hard link, /bin/sh is a copy of /bin/bash. Not sure why.

  • Is it me, or am I the only one who used Homebrew to replace the installed version of bash?

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...