Every Mac Is Vulnerable to the Shellshock Bash Exploit: Here's How to Patch OS X

Every Mac Is Vulnerable to the Shellshock Bash Exploit: Here's How to Patch OS X

Heartbleed, move over. There's a new bug in town, and this time it's also affecting Mac and Linux computers. It's called Shellshock (its original official title is CVE-2014-6271), and it's currently got a 10 out of 10 severity rating over at the National Cyber Awareness System. While some updates have been issued to fix this bug, they were incomplete, and your system is probably still vulnerable, as it has been for the last probably 20 years.

First Update - 9/26/2014 (Bash Version 3.2.53)

A new patch addresses an additional attack vector known as CVE-2014-7169.

Second Update - 9/29/2014 (Bash Version 3.2.53)

Apple released an "official" bash update today, and the process is much simpler (just download the .dmg, open the .pkg file, and use their Installer tool) than our manual instructions below because there are no Terminal commands or anything.

We've just found out that Apple's patch, while it's listed as bash version 3.2.53, patches the first two initial vulnerabilities and the subsequent ones (see "Third Update" below for info on subsequent exploits).

If you're using Yosemite or a system older than Lion, please proceed with our instructions below on manually updating to bash version 3.2.57 using Terminal. Otherwise, Apple's 3.2.53 patch will secure you from most known vulnerabilities; you can download it directly from Apple for:

Installing this version will overwrite any changes you made manually when using our guide before—it just replaces the files.

Again, if you're on Yosemite, or a version of OS X that's older than Lion, keep reading to see how to manually patch bash for OS X.

Third Update - 10/08/2014 (Bash Version 3.2.57)

Several new vulnerabilities have been reported in the weeks following the shellshock discovery. While these are more difficult to exploit as they involve a memory overflow, it would be wise to patch them, too. We've updated our instructions below to include the newest patch.

If you followed these instructions before 10:00 a.m. PDT on October 8th, 2014, please delete your bash-fix directory (you can find it in Users -> Username via the Finder) and follow all of the steps below again (starting with Step #1) to ensure that your system is fully patched. If you did not already update manually, then do not delete the bash-fix directory (you probably don't even have one).

If you updated using Apple's patch listed above, you do not need to manually update.

What Is Bash?

Bash is a command-line shell used in many Linux- and Unix-based operating systems, including Mac OS X. If bash is the default system shell on your computer, it can be used by remote hackers for network-based attacks. With a simple script, a hacker can launch programs or enable features on your computer without any passwords needed and without your knowledge. They could access your files, copy confidential information, delete data, run programs, and more.

While the likelihood of your personal Mac being targeted by an attack is relatively small, it's still a big issue that will hopefully get a real and working patch soon. Until then, there are a few things you can do.

Testing for Vulnerability #1

In a Terminal window, type in the following command into the shell, followed by the Enter key. Terminal can be found in Utilities in your Applications folders, or via a quick Spotlight search.

  • env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The Good Result

If your system is not vulnerable to the Shellshock bug, it will return something similar to the below output.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

The Bad Result

If your system is indeed vulnerable to Shellshock, you'll see the following instead.

vulnerable
this is a test

Testing for Vulnerability #2 (Added 9/26/2014)

If you pass the first test, use the following test to see if you're vulnerable from the second attack vector, which was discovered on Thursday.

  • env X='(){(a)=>\' bash -c "echo date"; cat echo; rm -f echo

The Good Result

If your system is fine, you'll see something like the following (without any printout of the current date and time).

date
cat: echo: No such file or directory

The Bad Result

If your system is indeed vulnerable to the second attack vector, you'll see the following instead.

date
<The Current Date and Time>

Testing for Vulnerability #3/4 (Added 9/29/2014)

There are no tests yet to check for these new vulnerabilities. Just follow the instructions below to update again and you should be in the clear.

Is There an Update Yet?

Many Linux distros have already released patches for Shellshock (though they were mostly incomplete), but Mac OS X has not received anything yet, and Apple hasn't even commented on the issue. There was a recent 10.9.5 update for Mavericks, but it has nothing pertaining to this issue.

If you're worried, though, there is a way to manually update your GNU bash version to a more secure one, thanks to some users over at StackExchange.

Check Your Current Bash Version

To see what version bash you have installed on your Mac, in a Terminal window, enter the following command (followed by the Enter key) into the shell.

  • bash --version

If you get GNU bash, version 3.2.51(1)-release, then you'll want to manually update to the newest version of bash 3.2, which is 3.2.57. Also, if you've already used this guide to update to 3.2.52(1)-release or 3.2.53(1)-release, then you'll want to perform everything below again to make sure you're fully protected.

There are newer versions of bash out there, but Mac OS X runs off the 3.2 branch. If you're using Linux, you'll want to make sure the patch you download matches the version of bash you're using. The latest patches for all major versions of bash (including 3.0, 3.1, 3.2, 4.0, 4.1, 4.2, and 4.3) can be found here.

Manually Updating Bash - Initial Requirements

You can manually compile the newest bash version (3.2.57) using the below instructions, but you have to have Apple's Xcode installed on your Mac for this to work. If you don't have it, follow the instructions in the Prerequisite Check section below.

If you don't want to update bash, there is a workaround provided by Red Hat, but it hasn't been tested fully, so I wouldn't recommend it.

Prerequisite Check

You'll need to make sure you have Xcode installed, and have agreed to Apple's terms. For older Macs, you'll also need to make sure you have all the command line tools.

You can download Xcode for free from the Mac App Store.

If you're on an older version of Mac OS X and Xcode isn't available for you in the Mac App Store, you can download older versions by searching for the proper version number after logging into Apple's developer portal here with your Apple ID. If you're on Mac OS X 10.7 or 10.8, search for "Xcode 4.6.3" in the Downloads for Apple Developers search box on the left side of the page.

Once you've installed Xcode, launch it from your Applications folder and agree to Apple's license agreement (the initial launch may take a while). After that, you'll want to confirm that you have all of the command line tools. To do so, do the following:

  1. With Xcode open, click the Xcode menu in your top menu bar.
  2. Click Preferences.
  3. Click the Downloads tab.
  4. Click Install next to the Command Line Tools in the list of downloads.

Note: If you don't see "Command Line Tools" in the downloads tab, then that means you've already got them and are ready to go!

Once done, you have everything you need to patch your system.

Step 1: Download & Compile the Patches

Once you've confirmed you have Xcode installed, open Terminal again and enter the following commands. Each bullet point is one command, so make sure you copy the full line in each bullet point (minus the bullet, of course).

This process may take a while, and you'll see a lot of text appearing in the Terminal window. It's just Xcode compiling the new version of bash on your system. Once it's done, it'll say “BUILD SUCCEEDED” and you'll see a Terminal prompt again.

Step 2: Back Up Your Current Version (Just in Case)

Just in case something goes wrong, it's a good idea to back up your current version of bash. That said, if you already did this step in a previous attempt to patch your system, you can skip it as you already have a backup. You can do so by entering the following two commands in Terminal.

Note that you'll likely be prompted for a password when doing this step. If so, use the same password you use to log in to your Mac. You will not see your password in Terminal as you type, so it may take you few attempts if you have a complicated password.

  • sudo cp /bin/bash /bin/bash.old
  • sudo cp /bin/sh /bin/sh.old

You won't see any confirmation, but it'll work, and if something goes wrong after Step #5 below, you can get back your old un-patched version of bash by reversing the above copy commands, to copy the ".old" copies back over their original files (without the ".old" part).

Step 3: Verify the Version of Your New Build

Enter the following commands in Terminal to verify you've got the new version of the bash build on your computer.

  • build/Release/bash --version
  • build/Release/sh --version

The output of these commands should confirm for you that the build version of bash is 3.2.57(1)-release.

Step 4: Replace Your Old Bash with the Patched Version

Almost done. You just have to copy the new version of bash over your old version. Do so with the following Terminal commands.

  • sudo cp build/Release/bash /bin
  • sudo cp build/Release/sh /bin

If you want to verify that you have the newest version as your default bash, just run the check bash version command again.

  • bash --version

And that's it. Now just try out the test again and if it comes back with the good result (i.e., not the one that says "vulnerable"), then you're golden.

  • env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

And run the second test to confirm the current date and time don't print out:

  • env X='(){(a)=>\' bash -c "echo date"; cat echo; rm -f echo

If the date does print out again, first check your user home directory to see if a file called "echo" was created when you ran the test the first time. If so, delete it and run the test again. If the date still prints out, chances are you missed part of the updated Step #1 above. If you ever think you might of messed up a command, you can always start over by deleting your bash-fix folder and starting again from Step #1. Also note that you can delete the bash-fix folder if you're all good, too, because it's just a temporary folder.

For Homebrew or Macports Users

If you use Homebrew or Macports, you can get instructions on updating bash over at StackExchange.

See Also

Remember to Give Kudos, Tweet, Like, & Share
Subscribe

Join the Discussion

2

I ran through your walkthrough and I get down to the part where I put in, xcodebuild. It told me to do sudo, then agree etc. I then run it again and it gives me this:

* BUILD FAILED *

The following build commands failed:
PhaseScriptExecution ostype.h build/bash.build/Release/ostype.h.build/Script-59DC3C521120DC9C00B033EC.sh
(1 failure)

1 year ago
2

Good news is nothing you did can't be reversed. Sounds like super user permissions may have timed out mid-build and that screwed things up. You can start over by deleting your bash-fix folder (it'll be in your user account's home directory... you should be able to find that in finder) and then open a new terminal window and follow the instructions from the beginning, with just one change... Since some part of the build needs su permissions on your system, when you get to the xcodebuild command, type sudo xcodebuild instead and enter your password when prompted.

If that doesn't work, let us know what version of OS X you're using, along with what you see when you type bash --version.

1 year ago - edited 1 year ago
1

Thanks for the fast reply, I tried again and it did not work.

I am running OSX 10.9.1
and my bash is: GNU bash, version 3.2.51(1)-release (x8664-apple-darwin13)

1 year ago
1

If you downloaded Xcode specifically for this purpose, have you tried opening it first to make sure it's correctly installed? I believe you have to enter in your admin password after installing and opening Xcode for the first time.

1 year ago
1

Yeah I has used it briefly for another project, and i've opened it again just now to triple check. sadly nothing new haha

1 year ago
2

Hmm. I'm not certain what's causing it to error out. You might try downloading the latest version of Xcode, but I'm not sure that'll work either. You may need to wait for Apple's official patch to come out. That said, in order for this exploit to affect you, you'd have to be running a service that accepts external connections (such as ssh, telnet, or a web server), or install an app that's malicious (or accepts external connections), so it's unlikely a Mac used at home for say, browsing the web and checking email, will be targeted. If you do run any servers, killing them for now would be prudent, but otherwise, just don't install any new apps you're not sure you can trust for the time being. As this is a very high profile bug, I suspect Apple will release an official patch soon.

1 year ago
2

I had the same error. If I am not too tired and I am looking at this correctly, my problem was due to the fact that I installed an SSD in my optical drive bay and setup as my main drive (original internal HDD) as a secondary drive. After installation, I moved all of my non-essential OS folders to the secondary drive and updated the links in the OS to point to the SSD when appropriate and the HDD when appropriate.

The build would not compile correctly because the folders were being made in my user folder on the secondary drive while the "cd .." was going to the root for the SSD drive — at least this is far as I can surmise. Here is what I changed to get it to work:

cd /Users/Shared
mkdir bash-fix
cd /Users/Shared/bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd /Users/Shared/bash-fix/bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
cd ..
xcodebuild

That worked with no errors for my personal Mac at home after not working the first three times. My Mac at the office, which has the original build as far as drives, worked with the suggested commands in the article. Hope that helps.

1 year ago
1

Hi Dylan,

I was able to find an older mac and replicate your issue. The problem is you're missing some dependencies. I've updated the article with a new section called "Prerequisite Check". Just delete your bash-fix folder and follow the steps in the article to download the missing command line tools. Once done, start from step 1 again and all should work (at least it did for me on my system).

1 year ago
1

Have you updated Xcode lately and not opened the application to accept the license agreement? That's what happened to me. Just had to open Xcode, accept the license, let it load, then close and retry the xcodebuild command.

1 year ago
1

So is there a way to see if it actually fixed it? I built and verified the new version. However, when I copy paste the code at the top, it still outputs, "this is a test"

1 year ago
5

Try this:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

1 year ago
1

I'm a bash newbie. Anyone mind explaining the elements of this test script and how its able to test for the vulnerability? Thanks!

1 year ago
1

Just found a blog on the AskUbuntu site that explained it. It's so simple, it went over my head when first looking at it. Scary!

"It simply sets the environment variable called x to the value () { :;}; echo vulnerable. It then invokes bash asking it to echo back the word hello. The value of x that is set is a function definition that should do nothing. However, it is crafted to try to run 'echo vulnerable' at parsing of environment at bash start-up, which just prints vulnerable to standard out."

1 year ago
2

When it says "this is a test" without saying "vulnerable" first, that means you're good! At least for this exploit. There is buzz around another related exploit that has not yet been patched. We'll be updating this article once the new patch is released.

1 year ago
1

Ahh, okay. I was thinking that it needed to show the warning and error in order for it to be working. Thank you for the clarification.

1 year ago
1

Just as an FYI - If you mistype the env command (like, say you forget the space between the right paren and the left curly) it will just do the echo this is a test part because the syntax to set the environment variable is incorrect. So if it just prints "this is a test" it means you typed it wrong. The ONLY indicator of the patch working is the full error message as noted elsewhere in this thread.

1 year ago
1

I'm pretty sure I'm not mistyping it. I copy-pasted it from above and I also typed it myself. This is Terminal's output.

Imgur(http://i.imgur.com/oiBVdXs.png)

Image via imgur.com
1 year ago
1

Interesting stuff, but a little confusing for this almost illiterate Mac user.
(OSX 10.6.8; cannot upgrade due to hardware limits).
When I go and try to download Xcode, I seem to be able to find only something that is compatible with 10.9.4 or later.
How do I get around that?

PS we old version users seem to be left out in the cold quite a lot, I find.
Help appreciated!

1 year ago
2

If you still have the Snow Leopard installed DVDs, I believe Xcode can be installed from the "Optional Installs" folder on the disc, and then you can use Software Update to make sure you have the latest version for your system. Otherwise, you might need access to the Apple Developer site, if they even have older versions there.

1 year ago
2

Thanks Justin. That's sound advice: the disk does contain Xcode.

One more issue: you all seem to talk about much newer versions of Bash. Mine is GNU bash, version 3.2.48(1)-release (x86 64-apple-darwin10.0)

Can I upgrade 48 to 52, or is that too big a step, or are there perhaps other hardware issues involved? As you see: nitwit here. Sorry.

1 year ago
2

I don't have a system like yours to test on, but it should work... There's no harm in giving it a try. Worst case scenario, you'll have a few extra files in a folder that you can just delete (this won't break anything). Just make sure to stop if you do get an error and report back.

1 year ago
1

I've just updated my 10.6.8 with bash version 3.2.48(1) to 52 and all is working fine. Thanks for the patch info btw!

1 year ago
1

the first download from opensource.apple wouldn't work, so i did the download via http, then did a mv to the bash-fix directory. when i run the second curl command from gnu.org the process stops and asks for "File to patch:"

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3250 100 3250 0 0 3636 0 --:--:-- --:--:-- --:--:-- 3639
can't find file to patch at input line 20
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
| BASH PATCH REPORT
| =================
|
|Bash-Release: 3.2
|Patch-ID: bash32-052
|
|Bug-Reported-by: Stephane Chazelas <stephane.chazelas@gmail.com>
|Bug-Reference-ID:
|Bug-Reference-URL:
|
|Bug-Description:
|
|Under certain circumstances, bash will execute user code while processing the
|environment for exported function definitions.
|
|Patch (apply with `patch -p0'):
|
|* ../bash-3.2.51/builtins/common.h 2006-03-06 09:38:44.000000000 -0500
|--- builtins/common.h 2014-09-16 19:08:02.000000000 -0400
--------------------------
File to patch:

I've already done the cp of my existing bash directories.

running 10.9.5

thanks in advance

1 year ago - edited 1 year ago
2

If you downloaded the tarball directly, make sure to untar it first. In Terminal, make sure you're in the same directory as the .tar.gz file and type:

  • tar -zxf bash-92.tar.gz

That will untar it. Then cd into the untarred directory with:

  • cd bash-92/bash-3.2

...and follow the rest of the instructions from there (starting with the 2nd curl command).

1 year ago
3

I've specifically created an account to thank you Justin for this article :)

1 year ago
1

hi,
I'm trying to do this patch now, and when I got to: xcodebuild
I got a message: Agreeing to the Xcode/iOS license requires admin privileges, please re-run as root via sudo.
I have no idea what that means. I am the admin on this Mac.
Thanks for your help!

1 year ago
2

Open Xcode from your Applications folder first. The initial open will require you to enter your password and agree to Apple's terms of service. Once you've done that, you should be able to start over.

1 year ago
2

(When I first tried
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
I got:
vulnerable
hello
After manually updating bash I got:
vulnerable
this is a test
even though it said that the build had succeeded earlier on....
So... what do I do now?)

EDIT: realised I had used "echo hello" when checking the first time, my bad.

1 year ago - edited 1 year ago
2

Either the exploited environment variable string is still set, or something was missed and your old version of bash wasn't replaced with the newly compiled version. Try the following:

  1. Fully Quit Terminal (Press Command+Q)
  2. Re-open Terminal and type bash --version

What version does it say you're running? If the new version, re-run the test. What is the output?

1 year ago - edited 1 year ago
1

Okay, well it seems the old version of bash wasn't replaced properly. But now everything is sorted. Great! Thank you for replying - you just earned yourself a bunch of karma points! :)

1 year ago
1

Same problem here! Completed all steps no errors. Bash version still 3.2.51(1)

1 year ago
2

Please confirm you ran the following two commands at the end to copy over your old versions of bash and sh:

  • sudo cp build/Release/bash /bin
  • sudo cp build/Release/sh /bin

If so, what version of OS X are you on? I'm wondering if the bash binaries are in a different place.

1 year ago
1

Hey so I went through the whole thing and ran "sudo cp build/Release/bash /bin" and I'm still running the 3.2.51(1) version.

I am running Maverick on a late 2008 macbook pro

1 year ago
1

While trying the first curl command I got this:

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

With a lot of other text after it. Is it ok to use it without the SSL certificate? Something to fix this part of the fix?

1 year ago
1

Make sure your system clock is set to the current date and time, run apple's check for system updates and install any available, then try again.

1 year ago
1

Not interested in updating to Mavericks or Yosemite, just want to fix the Bash bug.

Will check to make sure system time isn't an issue, but any way around the SSL issue otherwise?

1 year ago
1

You can download the files manually (that's all curl does), but you'll have to do the untar and patch commands separately. Should go something like this:

  1. Download the bash-92.tar.gz file manually (using a web browser) and save it to your bash-fix folder.
  2. untar it with the following command: tar -zxf bash-92.tar.gz
  3. move into that directory: cd bash-92/bash-3.2
  4. Download the bash32-052 patch file manually and save it to the bash-3.2 folder
  5. Patch it with the following command: cat bash32-052.txt | patch -p0
  6. Follow the rest of the steps above starting with cd.. in step 1.
1 year ago - edited 1 year ago
1

The patch -p0 bash32-052 command seems to be taking a while with no output (the prompt is on a newline, process still seems to be running, but no output in about 5+ minutes) is this normal or am I missing some argument in the patch command?

Sorry for number of questions, these are just areas of OS X I don't usually deal with so don't know what to expet.

1 year ago
1

Should be immediate, with output for each file patched. If the prompt is on a new line, you're probably ready to go on to the next step.

1 year ago - edited 1 year ago
1

on a new line, but like it's working (ie not accepting input or acting like the command didn't get all the input). I should say the curosr is on a new line, but there is no prompt so patch is still running (or waiting for some more input)

1 year ago
1

Ah. I see. I think OS X may add ".txt" to the end of the patch file when downloading manually. If you still have that terminal window open, press Ctrl+C to cancel. Then enter the following command:

  • cat bash32-052.txt | patch -p0

Then pick up from the "cd.." part of step 1...

I've updated my comment above to reflect this.

1 year ago
2

Use curl with "--insecure" flag. That should resolve your SSL issue.

1 year ago
3

For those receiving the "Build Failed" message. You may need to 'sudo' the xcodebuild command.

1 year ago
1

ran thru the alternative step listed above since I can't upgrade to the latest Maverick's release due to incompat issues with existing tools I need, but I was able to patch my 10.9.2 system - it worked.

But with my 10.8.5 system, it failed.

Wants XCode path, looking for Xcode5 DMG, no longer available on Apple public website, and don't have access to Apple Developer site. Any pointers where I can get it from?

Crunchy

1 year ago
1

Hmm. Did you already try getting it from the Mac App Store? For older versions of OS X, you should be able to install an older version of Xcode from an older Mac Recovery DVD as Justin noted above. That said, I can't remember if 10.8 even came with a recovery disc. Hopefully you have one lying around somewhere from an older version of OS X (10.7 maybe?). If not, downloading Xcode from anyone other than apple is risky business. Riskier I think than leaving it unpatched for now (assuming it's not set up as a web server of sorts). Maybe best for you to keep any servers off on that system until Apple releases an official patch.

1 year ago
1

Thanks for the well-presented how-to.

I have a number of Mac's running pretty much either 10.8.5 or 10.9.x. They consist of different hardware - Air's, Book Pro's, Pro's - all within the last year, but some significant hardware version changes (especially the NEW Pro's).

Can I build a single new bash and sh on one machine and copy it to the others?

1 year ago
1

Actually, that should work since we're compiling completely from newly downloaded source code. That said, I'd be sure to make a backup of each original bash & sh file before overwriting them (ex: following Step 2 for each machine).

1 year ago
2

Thanks for the great How-To!

1 year ago - edited 1 year ago
1

I am having a problem running the 2nd curl command:

davids-imac:bash-3.2 daviddrollinger$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:01:33 --:--:-- 0
curl: (35) Unknown SSL protocol error in connection to ftp.gnu.org:-9805

1 year ago
1

First, I'd just try entering the command again to see if it was just a connection fluke. If you still get the error, it sounds like you may need to check your system clock settings to make sure you're set to the current date / time, and install any system updates from Apple first... If you do that and still get this error, you can manually download the patch to the bash-3.2 folder and follow my instructions above for Jacob W who ran into a similar problem.

1 year ago
1

Hi. I followed your guide and it worked fine... :-)

I just want to contribute my 2 cents...

On step 2, you say that "You won't see any confirmation, but it'll work..."
I know how to make this commands show a confirmation. Just use these commands instead:

sudo cp -v /bin/bash{,.old}
sudo cp -v /bin/sh{,.old}

I hope this helps someone... :-)
Cheers.
Cris

1 year ago
2

It's Crunchy again...

I had never installed XCode on my 10.8.5 system, but I was able to locate an original SnowLeo..DVD, and was able to install XCode from there. Re-ran the xcodebuild... BUILD SUCCEEDED, and now I'm all good.

1 year ago
1

Ok Im very computer illiterate when it comes to code stuff like this. I have Mac 10.6.8, and I can't download the xcode from the app store. I haven't found any of my recovery discs, but I've had my laptop for a few years now and I don't even remember if I got any with it or not. I only use my laptop at home on a secure wifi network, will my computer be okay until Apple releases a patch?

1 year ago
1

I got a failed build on OS X Snow leopard. (10.6.8/10K549)
The following build commands failed:
PhaseScriptExecution ostype.h build/bash.build/Release/ostype.h.build/Script-59DC3C521120DC9C00B033EC.sh
(1 failure)

can anyone help?
also, I ran the command with sudo

1 year ago
1

Thank you for posting this really CLEAR and effective walk through. It all worked out perfectly for me. Good as golden..env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

1 year ago
1

Do the work in /tmp folder. Avoid external Volumes.

1 year ago
1

I've updated the article to explain how to make sure you have the missing command line tools that are leading to you getting that error. Start over following the new steps and you should be good to go.

1 year ago
2

Hi and thanks for the article.

I have a problem though. When I ran xcodebuild for the first time it prompted for the Xcode download which I did and installed. Now when I run xcodebuild it returns:-

xcode-select: error: tool 'xcodebuild' requires Xcode, but active developer directory '/Library/Developer/CommandLineTools' is a command line tools instance

Any suggestions?

Many thanks in advance.

1 year ago
1

Same issue as above.

Is it anything to do with having the Xcode6 beta?

1 year ago
1

I've updated the article to show you how to make sure you have the latest command line tools.

1 year ago
1

This fixed it for me (if you have Xcode6 beta installed):
sudo xcode-select -switch /Applications/Xcode.app/Contents/Developer

1 year ago
1

Hi, I just copied the walk-through and the final test was as follows:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Should I do something or is it ok?

Thanks!

1 year ago
1

Great tutorial, I've applied this and am very happy :-)

1 year ago
1

Once the patch is installed, should we remove the /bin/bash.old and /bin/sh.old files?

1 year ago
1

I'd keep them around for now just in case apple's official patch ends up expecting the unpatched versions (unlikely, but better safe than sorry).

1 year ago
1

Thanks , this seemed to work for me okay with out any problems. One question , after creating the new bash on one iMac, is it okay to copy it to others of the same OS release, without going through the Xcode build each time?

1 year ago
1

Should be. Just make sure you backup bash and sh on each computer first, just in case.

1 year ago
1

Hey guys, I got everything perfect, until step 4. When I enter the commands (down below) nothing happens in my Terminal.

sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin

Any ideas what to do? I'm running the latest OS X

EDIT: Falce alarm, it's all good! Thanks!

1 year ago - edited 1 year ago
1

Worked perfectly - thanks! All successfully updated

1 year ago
1

Thanks for the link. I'd patch if I were you. DHCP has been proven to be exploitable by this, and that's likely a part of Hamachi.

1 year ago
1

Hi there, I am on Mountain Lion, and Vulnerable.
For me there is really the need to fix it due to my work ;)

I get: GNU bash, version 3.2.48(1)-release (x8664-apple-darwin12)

Can I also do this update? thanks!

1 year ago
1

Niek, there's someone higher up the list with an older version like you (and me). It should work -> read earlier replies.

1 year ago
1

Thanks Justin and Bryan, top tips! i updated bash successfully and waiting for the official patch now. however i am not clear about what the 'vulnerable' test means. does it mean that, i was vulnerable to the exploit, or as the article seems to suggest, i was "indeed infected by Shellshock". my understanding of vulnerabilities is limited, but i imagined it is like an open door to a possible abuse, as opposed to 'an infection' which would be attacks have already taken place?

thanks!

1 year ago
2

This means that you are vulnerable to it, not that you have been infected. :)

1 year ago
2

Hi, I'm trying to do it but it gives me this:

Check dependencies

The file “BSD.xcconfig” couldn't be opened because there is no such file. (/Applications/Xcode.app/Contents/Developer/Makefiles/CoreOS/Xcode/BSD.xcconfig)

1 year ago
2

I'm too having the same error. I'm running Mac OSX 10.9.5, Xcode Version 6.0.1 (6A317). Even downloaded and manually installed commandlinetoolsforosx10.9forxcode6.dmg

1 year ago
1

I'm getting this too on latest Yosemite with Xcode Version 6.1 (6A1052d). Any suggestions?

1 year ago
1

Running 10.8.5; bash version GNU bash, version 3.2.48(1)-release (x86 64-apple-darwin12); Xcode Version 3.2.6 (1761) installed. Every step works except the xcodebuild that results in:

xcrun: Error: failed to exec real xcrun. (No such file or directory)

Suggestions?

1 year ago
1

Thanks, everything worked perfectly. One question: I'm now left with a visible folder in my home directory called bash-fix. Is it safe to delete that, or if that where the now updated version of bash is living?

1 year ago
1

It's safe to delete. You've already copied over the new versions.

1 year ago
1

When I ran through the Terminal steps described in your article and ran the line command to check if my system was still vulnerable, I got the following response:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Although the response following the build was BUILD SUCCESSFUL, there was a line before it asking to check something, saying it could not find the file BCD.something in the Xcode application.

1 year ago
1

The response you got means you are successfully patched, so I wouldn't worry about it..

1 year ago
2

Thank you for this and everyone in the comments that helped as well.

1 year ago
2

Thank you, Justin. That was very easy to follow and very helpful.

1 year ago
2

I got a hold of an older mac to test and figured out the problem some of you are running into.

For those of you running into ** BUILD FAILED ** errors after typing the xcodebuild command, you're likely missing some of the dependencies. Even if you don't understand what that means, it's easy to fix. Just install them by doing the following:

  1. Launch Xcode from your Applications folder
  2. Click the Xcode menu in your top menu bar
  3. Click Preferences
  4. Click the Downloads tab
  5. Click Install next to the Command Line Tools in the list of downloads.

Once installed, quit your terminal window, delete the bash-fix folder from your user home folder, and start again from the beginning. I've updated the article to reflect this.

1 year ago - edited 1 year ago
1

I left my experience above, copied here,

Thanks for the post, I signed up too.

I downloaded Xcode, opened it no problem, did all the steps above and updated my bash, then reset the default But I still get 'vulnerable' this i a test. I also closed terminal rechecked the version, which is correct, and still the test says vulnerable. Any ideas?

edit: I ran the sudo commands to make sure about the default, this time I got request for password so I thought, great!

Wrong. Still vulnerable. Mavericks 10.9.5

Wondering even though it shows the newest version and it stills says vulnerable if I can simply go back through the whole process exactly the same way or if I should do some stop gap measure. Have yet to try on my snow leopard Imac

1 year ago
1

Chances are something didn't copy over correctly. Go through the process exactly the same way (copy/pasting the commands to be sure nothing's missed), except when creating the backup, name the backups ".old2" instead of ".old", so as not to accidentally overwrite your original backups.

1 year ago
2

Amanda Henson's solution to the 'build failed' problem worked for me (see above, 7th post).

1 year ago
1

Wonderful! SUCCESS! thanks Also installed xcode from disk on Snow Leopard Imac and everything went smoothly. Excellent detailed instructions and advice.

1 year ago - edited 1 year ago
1

Hi. Did everything as stated above, worked great, until the very end. This is what I get when I run the test the final time:

XXXs MacBook-Air:bash-92 XXX$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

If it doesn't state 'vulnerable', I should be good, but still bothered by the 'error' statement.

1 year ago
2

Yup! The error statement is what you want to see. It means that an attempt to exploit your system threw an error instead of executing the exploit.

1 year ago
1

What directory should the commands in Step 1, Step 2, etc. be run from? Does it matter? Should it be from simply the default /Users/<username> directory you are in when you open a terminal?

1 year ago
1

Yes, the instructions assume the default /Users/<username> directory. That said, all change directory & move commands are relative, so as long as you don't stray from the instructions, you'll be fine.

1 year ago
1

I also got this in the terminal:

Check dependencies

The file “BSD.xcconfig” couldn't be opened because there is no such file. (/Applications/Xcode.app/Contents/Developer/Makefiles/CoreOS/Xcode/BSD.xcconfig)

1 year ago
1

That error will not effect the fix included here, but I found I could remove it (the error!) if I added the following BSD.xcconfig file in the path specified:-

RCHS = $(ARCHS_STANDARD_32_64_BIT);
CODE_SIGN_IDENTITY = -;
CURRENT_PROJECT_VERSION = $(RC_ProjectSourceVersion);
DEAD_CODE_STRIPPING = YES;
DEBUG_INFORMATION_FORMAT = dwarf-with-dsym;
PREBINDING = NO;
// Current Mac OS
SDKROOT = ;
//USE_HEADERMAP = NO;
VERSION_INFO_PREFIX = _;
VERSIONING_SYSTEM = apple-generic;

In Terminal you will first need to create the Xcode folder:-
ie.
$ sudo mkdir /Applications/Xcode.app/Contents/Developer/Makefiles/CoreOS/Xcode/

Then create BSD.xcconfig as above with vi or nano or whatever,
then finally change its permissions
$ sudo chmod 644 /Applications/Xcode.app/Contents/Developer/Makefiles/CoreOS/Xcode/BSD.xcconfig

1 year ago - edited 1 year ago
1

!!! Important note to all who have installed patch 3.2.52 !!!

There is a new patch out (3.2.53) that addresses an additional attack vector left open in 3.2.52. An additional step has been added to the instructions in this article to fix it. If you already ran this patch, all you have to do is delete your bash-fix folder from your user directory and follow the instructions from step 1. Many of them are the same, but the order you do them in is very important, so it's best to just copy / paste each command one at a time.

1 year ago
1

Hi,

When I enter in the commands to build the new patch, I get this message:

Error: No developer directory found at /Developer. Run /usr/bin/xcode-select to update the developer directory path.

What does it mean and how do I get around it?

Thanks.

1 year ago
1

Sounds like you may not have Xcode or the Command Line Tools installed. Check out the Prerequisites section in the article above.

1 year ago
1

Nope, I've done both of those steps. Anything else it could be?

1 year ago
1

Could just be remnants from updating Xcode to the newer version (now stored in your Applications directory instead of /Developer). Try typing this command, then try again:

  • sudo xcode-select -switch /Applications/Xcode.app/Contents/Developer
1 year ago
3

Perfect, that did it. Now all fixed. Thank you so much!

1 year ago
2

Could this fix cause problems with Apple's own official fix, if/when that's released (maybe as a Security Update)?

1 year ago
2

Very unlikely, but if you'd like to be certain, this patch can be totally reversed by simply entering the following two commands in Terminal to restore the backup you made in step 3 above, before installing Apple's patch (once it's finally made available):

  • sudo cp /bin/bash.old /bin/bash
  • sudo cp /bin/sh.old /bin/sh
1 year ago
2

Thanks, followed step by step and it worked like a charm. Appreciate your help :)

1 year ago
1

didn't work for me as a normal user even using sudo then switched to root and Worked 100%

1 year ago
1

Well, this is odd.

On my system (10.8.5), after installing the first-level patch:

% bash --version
GNU bash, version 3.2.52(1)-release (x8664-apple-darwin12)
Copyright (C) 2007 Free Software Foundation, Inc.

% env X='(){(a)=>\' bash -c "echo date"; cat echo; rm -f echo
date
cat: echo: No such file or directory

So even though I haven't yet installed the second-level patch, my 3.2.52 install of bash doesn't appear to be vulnerable per the second test (which I copy-pasted straight out of the article).

How can that be?

1 year ago
2

Kudos! Worked like a charm for me. one of the benefits of open source.

1 year ago
1

have you gotten a reply? I'm looking to patch a leopard server

1 year ago
2

Your procedure worked perfectly in Lion and Mavericks, thx!

1 year ago
2

Great guide, easy to follow and it only took me about 3 minutes (minus the install of xcode)

1 year ago
1

Great tutorial, but the original bash/sh file were universal binaries ie.
$ file /bin/bash
$ /bin/bash: Mach-O universal binary with 2 architectures: x86_64: Mach-O 64-bit x86_64 executable i386

Is it possible to have the config changed to create this, rather than just create x86_64 binaries? I do not have the expertise to do this myself..._

John Hall

1 year ago
1

Eh,
I think I can answer my own question here!
To build a universal binary, as per the original bash and sh:-
In Step 1 and Step 2 replace xcodebuild with:-
xcodebuild -arch x86_64 -arch i386

This will produce files which will run in 32 and 64 bit modes as appropriate for the machine boot mode...

1 year ago
1

thanks for the great tutorial, any ideas on patching a leopard server (10.5.8)?

1 year ago
1

I'm working on Leopard 10.5.8, installed Xcode in order to manually update the bash, but ran into the problem that apparently for the version of Xcode compatible with 10.5.8 (I have 3.0 now, and apparently it goes up to 3.1.4) there is no "downloads" tab and apparently no way to download the "Command Line Tools".

I thought that maybe they were packed up inside of Xcode by default so I was like "hey lets try it anyway".

First off the bash build doesn't download, returns with an error for some reason. Something about SSL encryption not recognizing a certificate. Said "off with that" and just downloaded and put the bash-92 folder into bash-fix.

Works. Yay. Then this happened :

Well of course.

Tried pushing on anyway :

Can't say I'm surprised.

Is there a workaround ? I'm not a programmer and I can't type a line of code in a million years so if I'm doing something wrong I likely don't even know what, but the fact that it did not find the "seq" command leads me to believe that Xcode 3.0 doesn't have the command line tools bundled somehow ? Is there a way to get them externally ?

Thanks in advance.

Cheers!
Alex.

1 year ago
1

I haven't been able to try this myself, but a little searching turned up this little terminal command to get it to download the xcode command line tools. Let me know if it doesn't work.

  • xcode-select --install
1 year ago
1

Alex, see my response to Norman below. It explains how to get around the lack of a `seq` command in older versions of OS X.

1 year ago
1

I'm on an older machine running OS 10.6.8 with Xcode v 3.0. The procedure fails for me at line 3 of step 1 with the following error:

bash-fix norman$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf

tar: Option f requires an argument
Usage:
List: tar -tf <archive-filename>
Extract: tar -xf <archive-filename>
Create: tar -cf <archive-filename> filenames...
Help: tar --help
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 4088k 0 16384 0 0 43020 0 0:01:37 --:--:-- 0:01:37 134k
curl: (23) Failed writing body (0 != 16384)

I don't know what any of this means.
I can put that url in Safari which downloads 2 files:
bash-92.tar
M202.0M2.1.6.04ZAV.D7210.rar
I have dragged them into the bash-fix folder. Now what do I do?

A second possible problem: My version of Xcode does not have a Downloads preference.

Update: Well I read further down in the instructions and manually ran tar. The file in my directory did not have the .gz extension, so I just omitted it thus:

tar -zxf bash-92.tar
That worked and resulted in the creation of the bash-92/bash-3.2 directory. However when I did:
cd bash-92/bash-3.2

for i in $(seq -f "%03g" 52 54);do curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-$i | patch -p0; done

I got: -bash: seq: command not found

So I guess I'm missing the command line tool, "seq"
This appears to be the same problem Alex is having.

1 year ago - edited 1 year ago
1

You're missing the " -" (space, minus sign) that should be at the end of that command. Safest to copy/paste each bullet point for each individual command (including any text that wrapped to the next line) so as not to miss little details like this.

1 year ago
2

The purpose of the `seq …` command in this case is to easily loop through all the patch file names (052 053 054) in a single curl command. I don't know when this command became available for OS X, but it certainly isn't on my fully patched Leopard system.

Just issue the following command instead of the original `for … ; done` command:

curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0

Then repeat that command with 053 instead of 052, and 054 instead of 053. You must do them in the proper order!

If there become further patches for bash 3.2 I'd presume they would be numbered 055, etc.

1 year ago
1

Ok so here I'm getting another error, actually the same SSL certificate error I was getting earlier :

Tried adding "-k" at the end of the pasted line of code, did not work, returned the same text as above.

Also, Bryan, I tried "xcode-select --install", and it returned this :

Thanks a lot for the fast answers!

Alex.

1 year ago - edited 1 year ago
1

Alex, to override the SSL issue you're getting with the `curl` command you need to include the "-k" just after the word "curl", not at the end of the command line. So like this:

curl -k https://…

Personally, I did not have any SSL certificate issue getting the patches themselves — just when pulling the base bash kit from Apple's servers. Obviously you are getting an error, so something must be different on your system (older certificate authority info in your keychain, older version of OS X, not the same OS X security patches, etc.). I wouldn't worry about it as long as you can obtain the patches successfully using the "-k" option and you use these "trusted" source code/patch domains.

With regard to your `xcode-select —install` issue, it would be mildly interesting to know what this command shows:

xcode-select -print-path

For me, it shows "/Developer".

Based on the output you showed in your second screenshot, it appears that the version of xcode-select you have on your system didn't understand what "—install" means as an option. Can you tell us which version of OS X you are trying this on, and what the version of Xcode is (launch the Xcode application, then choose the "About Xcode" option from the Xcode menu)?

1 year ago
1

Hi,

Ok, just checked, so first off, my version of OSX is Leopard 10.5.8 (9L31a) with the Darwin 9.8.0 kernel (according to the System Profiler). My version of Xcode is 3.0.

The -k thing before curl did work, I was able to download all the files directly from the Terminal. The -seq workaround worked as well, and I was able to download the patches directly from the Terminal too.

However the build still failed. I tried a second time by redownloading all the files, starting fresh and following all the steps again, using curl -k to download patches 052 to 054, same thing, *build failed*.

If you want I can paste the whole text that appears after the "xcodebuild" line if that helps.

Is it a problem with the Xcode version that's too old ? I've checked on wikipedia and the highest version of Xcode that will work on Leopard 10.5.8 is Xcode version 3.1.4. I have an Apple developer account so I can download it if necessary but my question is : should I upload and will it change anything ?

Thanks!
Alex.

Edit : oh yes "xcode-select -print-path" shows up "/Developer" as well. I didn't change the default install setup and it offered to put Xcode and its files there so I did not bother to change it.

1 year ago - edited 1 year ago
1

I'm glad my curl suggestion got you further along.

Unless your xcodebuild sequence fails very early on, I'm afraid that your entire log of that step could be quite large (and thus hard to go through). Perhaps you can determine from looking at the output before the build failed is reported you can see just above that a starting point of the output where things were going well, then turned bad—from that point to the end might be useful.

As to Xcode 3.0, I cannot say if that is too old or not. My Leopard system has 3.1.1 and everything worked. Since you have ready access to the developer portal I'd say it cannot hurt to download the latest you can find there (that works on Leopard of course) and give it a shot. What's a little download bandwidth and time among friends? ;)

I suppose it's possible that your /Developer path is corrupt or incomplete in some way and and upgrading Xcode might not catch that. If that's true you may need to (backup and then) remove the current /Developer contents so that a fresh Xcode download and installation will put everything right.

1 year ago
1

Well, I've made progress:
bash-3.2 norman$ man seq
No manual entry for seq
This confirms that the "seq" command is not on my system. So I did as Marty suggested:

Elenas-Computer:bash-3.2 norman$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
101 3250 101 3250 0 0 4605 0 --:--:-- --:--:-- --:--:-- 50000
patching file builtins/common.h
patching file builtins/evalstring.c
patching file variables.c
patching file patchlevel.h
Elenas-Computer:bash-3.2 norman$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
101 1115 101 1115 0 0 3895 0 --:--:-- --:--:-- --:--:-- 19224
patching file parse.y
patching file patchlevel.h
Elenas-Computer:bash-3.2 norman$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6617 100 6617 0 0 18073 0 --:--:-- --:--:-- --:--:-- 53362
patching file variables.c
patching file patchlevel.h

Then I tried to go on..
Elenas-Computer:bash-3.2 norman$ cd ..
Elenas-Computer:bash-92 norman$ xcodebuild
-bash: xcodebuild: command not found
So I don't have the command-line commands for my version of Xcode, and I don't know how to get them. Any suggestions?

1 year ago
1

Norman,

Your version of Xcode is very out-of-date for Snow Leopard. Even my old Leopard system has version 3.1.1. Looking at Apple's developer portal, the latest Xcode for SL is 3.2.6. Since you have Xcode already installed, I'd be surprised if using the Software Update menu choice from your Apple menu wouldn't find and install that upgrade for you. Then you can try picking up in the bash fix instructions where you left things.

You can signup as an Apple developer without paying anything (their paid account provides additional developer access and tools) and download "Xcode 3.2.6 and iOS SDK 4.3 for Snow Leopard" from there so that route is available to you as well.

Because of licensing, if you cannot upgrade Xcode via Software Update or download it from the Apple developer portal it wouldn't be legal for anyone else to provide Xcode to you. Hopefully Software Update will be your friend!

Since Xcode tends to require you to agree to its Terms & Conditions with every release, no matter how you get an updated Xcode be sure and launch the application before trying to use its command-line tools.

1 year ago
1

I'm afraid I have dug myself a deeper hole. Today I thought of the 3 other machines in my house, all running Mavericks on all of which I have applied the Apple patch. So I backed up bash and sh on this old machine, as described above, then copied the versions of them on one of my Mavericks machines to to .bin/ on this old machine. Unfortunately that broke everything. Launching Terminal yields:

Last login: Wed Oct 1 13:51:47 on ttys000

Process completed

so the terminal session shuts down completely. I tried to ssh to this machine from another on my LAN but that failed as well. I'm about try to use Finder to restore from backup. This is hard because my backup is a disk image, and this machine can no longer mount disk images. Disk Utility spins the pinwheel of death. I guess they all rely on bash.

...

Well, I can use the finder to open up /bin/ and I can move bash to the trash, but I don't have permissions to rename bash.old to bash. Is there some way that I can get access to another shell on boot up? Both bash and sh are probably broken.

1 year ago - edited 1 year ago
1

SUCCESS! I downloaded and installed "Xcode 3.2.6 and iOS SDK 4.3 for Snow Leopard" as per Marty's suggestion (thanks). There was a defaulted-on option to install the command-line tools, and I verified that they were there after the install (there was still no "Download" tab under Preferences in this version of Xcode).

I then completed Bryan's procedure, and Voila!, it all worked and tested properly. Thanks all.

1 year ago
1

OK, I dug myself out of that. I used Terminal/Preferences to Shells Open With /bin/bash.old, and that gave me Terminal back. Software Update did not want to update Xcode, so its off to the Developer site...

1 year ago
1

I don't know which CVE(s) it may address, but there is now a patch 056 available dated October 2 at 22:15 (timezone unknown).

If your bash-fix folder is untouched from all previous patching through patch 055, you can apply this new patch by using the following command (be certain that you are in the same bash-3.2 folder as before!!!):

curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-056 | patch -p0

Then carry on with the remainder of the original manual steps starting with the `cd ..` command.

I wouldn't be surprised if additional patches come out for this issue, so stay tuned. :)

BTW, I really like this script for testing against these bash issues. It seems to be maintained quickly and the results are in color to quickly give you a sense of your installed version of bash against the identified problems.

1 year ago
1

I have a problem. I'm running os X Tiger which only allows me to install xcode 2.5. Everything runs fine until I compile the code. I get:

/Users/polarisdirect/bash-fix/bash-92/bash-3.2/lib/intl/dcigettext.c:302:36: warning: character constant too long for its type

/Users/polarisdirect/bash-fix/bash-92/bash-3.2/lib/intl/dcigettext.c:302: error: invalid initializer

Does anyone have an idea? There is no download command line tools under preferences and the code stated above to install them didn't work.

1 year ago
1

Thanks for the help. Great job Justin and Bryan. Worked perfectly!

1 year ago
1

Thanks for posting this awesome instruction set. I can't resolve it completely however, it fails the first test. Any guidance greatly appreciated!

I see the following after entering the "xcodebuild" command in Terminal:

=== BUILD AGGREGATE TARGET all OF PROJECT bash WITH THE DEFAULT CONFIGURATION (Release) ===

Check dependencies

The file “BSD.xcconfig” couldn't be opened because there is no such file. (/Applications/Xcode.app/Contents/Developer/Makefiles/CoreOS/Xcode/BSD.xcconfig)

* BUILD SUCCEEDED *

I don't know if this is related after reading that this doesn't matter in comments above. However it doesn't pass the 1st test after completing all commands in Terminal, but does pass the 2nd test. I see:

...2:bash-92 ...$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

I repeated the full instructions 3x on Yosemite's latest version, same result each time. Suggestions? Thanks!

1 year ago - edited 1 year ago

Share Your Thoughts