I love my Apple to bits. My writing, teaching, coding, graphing, and playing are all done on a MacBookPro with two Intel 2.4 GHz processors running OS X 10.5.8 called “Leopard.” It was the up-to-date operating system from 2006-2009 and I never saw the need to change, as I was too lazy to fix something that is not broken. Until today when I learnt of a vulnerability deep inside the guts of my beloved Unix-machines.
-
- Waiting for the train to Seattle, WA in San Luis Obispo, CA.
-
- Working at in the garden at home. I recall this vividly as I was crafting an e-mail to Dr. Preben Gudmansen in Denmark preparing for field work near Hans Island.
-
- Work space at my brother in Diez, Germany just before heading to board R/V Polarstern in May 2014.
For over 5 years this laptop has been running non-stop doing scientific computing on huge amounts of ice, ocean, and satellite data. It is this Unix environment that I cherish as it is open, transparent, elegant, and concise. It also allows me to use unlimited codes and tools of many open-source communities. My Apple also traveled with me on ships and planes to Arctic Canada, Greenland, Norway, Germany, and anywhere in-between. It travels daily on my bicycle from home to work and back.
-
- Working the Night shift aboard CCGS Henry Larsen in the CTD van in Aug.-2012. [Photo Credit: Renske Gelderloos]
-
- Living and work space aboard CCGS Henry Larsen in Aug.-2009.
-
- Living quarters aboard R/V Polarstern in June 2014.
Today I was worried when my student Pat told me about shellshock, a bug that potentially can give control to a hostile party smart enough to exploit this vulnerability for which Apple has not yet released a patch. So, did I have a problem? You bet.
STEP-0: From a terminal I entered the command
env x='( ) { : ; }; echo vulnerable’ bash -c “echo this is a test”
If the word “vulnerable” appears, then the bug is present. Also check the second flavor of the bug by entering the command
env X='( ){(a) =>;\’ bash -c “echo date”; cat echo; rm -f echo
If you see the actual date displayed (as opposed to the word “date”), then again you got the buggy code. Here is how I fixed it on my laptop and MacMini that hosts my work web-pages.
Step-1: I took this technical recipe, but not all elements worked for me:
$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf –
The above line failed me, but the added option -k worked to download the needed files from apple.com with the curl-command; the same was also true for the two other curl commands below that downloaded the patches from gnu.org It applies the patches to the files uploaded from apple.com prior.
$ curl -k https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf –
$ cd bash-92/bash-3.2
$ curl -k https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ curl -k https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
$ cd ..
$ sudo xcodebuild
STEP-2: The above line “sudo xcodebuild” did not work for me for reasons I do not understand. I realized, however, that it was supposed to compile the patched codes to produce executable new files “bash” and “sh” free of the bug. I searched for and found the code-building application XCode.app on my computer as /Developer/Application/XCode.app and started it by point and click. Then via File > Open File I found the relevant “project file” bash.xcodeproj that was in the directory created previously, that is, bash-fix/bash-92 which I then opened within XCode.app Hit the button with the hammer called “Build and Go” and you build yourself a new bash.
Screenshot of compiling patched bash.xcodeprof using XCode.app
STEP-3: Once the compilation and building of the executables is complete, all that needed to be done was to move the newly created, patched executable shells “bash” and “sh” into their rightful places deep within the guts of the operating systems. First, however, lets just save the buggy old files. From the command line
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
and as the last step move the new, patched “bash” and “sh” to their
root directory /bin:
$ sudo cp build/Release/bash /bin/.
$ sudo cp build/Release/sh /bin/.
I moved the binary files “bash” and “sh” to my web-hosting MacMini after renaming the old buggy ones, oh, and as a good practice (short
of deleting those old system files), I changed the permission settings.
Credit for this way to reduce a vulnerability on my dear machine belongs to this concise blog whose content is also presented in a more chatty voice. Wired Magazine adds a little drama in their story titled “The Internet Braces for the Crazy Shellshock Worm, but it took me longer to write and assemble this essay than it did patching the bug.
Unix is fun to hack.
— Eric S. Raymond
Unix is not so much an operating system as an oral history.
— Neal Stephenson
ADDENDUM Sept.-28, 2014: A quick online to test for vulnerable web-sites and cgi scripts.
ADDENDUM Jan.-6, 2015: I apparently missed 3 more vulnerabilities that the above test may not check for, e.g., http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html
Icy Seas 