We have a couple of machines that are still running Snow Leopard, so the Apple patch won’t work. One option is to recompile bash and its patches from source, but why do that when I already have MacPorts on those machines.
Testing the vulnerabilities
From Stack Exchange, there are multiple vulnerabilities:
The first one is tested with this:
$env x='() { :;}; echo vulnerable' bash -c 'echo hello'
if the shell is vulnerable, it will echo vulnerable and hello. Otherwise it just echoes hello.
A second vulnerability is tested with
$env X='() { (a)=>\' sh -c "echo date"; cat echo
if you’re OK, you will see something like
date
cat: echo: No such file or directory
or
sh: X: line 0: syntax error near unexpected token `='
sh: X: line 0: `X () { (a)=>\'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory
The important thing is that you don’t want to see an actual date and a file created called echo.
The third vulnerability redefines the ls command
$ env ls="() { echo 'Game over'; }" bash -c ls
Vulnerable systems will echo Game over.
Installing the fix
Getting it installed is easy after updating to the latest versions of the ports
sudo port selfupdate
sudo port upgrade outdated
sudo port install bash
But this only applies the MacPorts bash for the user. To make it the default, we have to make it the default shell for an intruder. To do this we need to edit /etc/shells to replace /bin/bash with /opt/local/bin/bash.
I think this is enough. But I still have some concerns. The bash version in MacPorts seems to be 4.3.28. Apple’s official release after the patch is 3.2.53 (apparently this is equivalent to 3.2.54 in terms of patches). The MacPorts version is still vulnerable to the second problem. I’ll be watching MacPorts for updates, but I am also looking at whether the machines, which are too old for Mavericks, can be updated to Lion or Mountain Lion.
Update: MacPorts pushed another bash update over the weekend