anti-shellshock suggestions

Eric A. Borisch eborisch at macports.org
Mon Sep 29 07:04:14 PDT 2014


Just my 2c - it's not hard to download (outside of macports) and compile
bash + latest patches. You can also match the bash rev (3.2 on my SL
machine) to have minimal impact from any changes to bash behavior.

As noted in the thread, changing the core OS executables is something you
do AT YOUR OWN RISK.

$ /bin/bash --version
GNU bash, version 3.2.52(2)-release (i386-apple-darwin10.8.0)
Copyright (C) 2007 Free Software Foundation, Inc.
$ /bin/orig/bash --version
GNU bash, version 3.2.48(1)-release (x86_64-apple-darwin10.0)
Copyright (C) 2007 Free Software Foundation, Inc.

This also links against the system libs, so you won't have a borked system
if you ever decide to uninstall macports.

 - Eric

On Mon, Sep 29, 2014 at 8:35 AM, Lee Bast <x-lists at asgarda.com> wrote:

>         New exploit variants (CVE-2014-6278), this looks like the vuln
> that'll keep on giving until bash has a more fundamental fix decided upon.
> In the mean time, would it be worth giving any consideration to the NetBSD
> patch that simply disables default environmental function importing? Both
> NetBSD and FreeBSD have adopted that as an interim solution:
>http://seclists.org/oss-sec/2014/q3/755
>http://seclists.org/oss-sec/2014/q3/802
>> https://svnweb.freebsd.org/ports/head/shells/bash/files/extrapatch-import-functions?revision=369467&view=co&pathrev=369467
>         A variant with that patch seems like a promising approach to avoid
> the whack-a-mole game. In that thread they discuss simply abandoning
> backwards compatibility entirely and removing it, but arguments either way
> and that seems like a step too far for MacPorts as well. But making it an
> explicit flag/warning might be a good compromise.
>
> On Sep 29, 2014, at 0453 , René J.V. Bertin <rjvbertin at gmail.com> wrote:
> > - how about adding a variant to the bash (and dash) portfiles allowing
> users to copy the MacPorts version into /bin (moving the original version
> to something like bash.macportsBackup if that backup doesn't yet exist)?
>
> Beyond what Rainer Müller said, what do you mean "allowing"? There's
> nothing stopping you from just copying it over or linking it yourself while
> renaming/-x'ing the standard ones. You'll have to test your own setup of
> course, but it should be trivial to revert, and FWIW I saw no issues after
> giving it a shot in a few VMs and a test system.
> _______________________________________________
> macports-users mailing list
> macports-users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/macports-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-users/attachments/20140929/991959ed/attachment.html>


More information about the macports-users mailing list