Little T in the Cog apple

Fix for Shell Shock on OS X 10.5 Leopard

2014-09-26

The Shell Shock bash vulnerability that has been doing the rounds lately will never be patched on OS X Leopard as it is simply too old. Luckily Matt White has posted a fix for Debian Lenny and as Leopard and Lenny use the same version of Bash (3.2) the same fix can be applied. I've tweaked his update script for Os X (as by default there is no "wget" or "seq" (sequence) so simply download it from here, mark it executable (chmod +x) and run it to upgrade the version installed to 3.2.54 which includes the needed patch. Your old version will be saved as /bin/bash.broken and the new version will be installed into /usr/local/bin/bash and a symlink created from /bin/bash to it Updated: The script now simply overwrites the old version as having it hanging around could be considered dangerous. If you want to keep a copy then you'll need to manually copy it somewhere safe (eg /var/root/). The script also now removes /bin/sh and creates a symlink to /bin/bash. Once installed simply log out and back in again and you'll be using the new version, and any CGI-BIN scripts you use will also be safe (well, at least from that bug!).

Happy patching and let's hope that it is a long time before a vulnerability like that crops up again.

UPDATE: A few people have asked if they can have a copy of the binary as they don't have the build tools installed. The latest version can be downloaded from here (PPC ONLY! I don't have an Intel install of 10.5 sorry), once downloaded you'll need to mark it executable and copy it to /bin/bash

UPDATE 2: I've just had pointed out to me that /bin/sh on Leopard is actually a copy of /bin/bash, not a symlink so calling /bin/sh will still leave your system vulnerable. To get around this either copy /bin/bash to /bin/sh or better yet symlink /bin/bash to /bin/sh so updates to bash will also result in /bin/sh being updated. Finally, I've changed the script to simply replace /bin/bash rather than install into /usr/local/bin/bash and symlink.

UPDATE 3: And another patch is out - binary has been updated and is available here or for those with the build tools installed you can compile from source using this script. Hopefully this is the last for a while as it addresses all currently outstanding CVEs.