Open Radar

 
Summary:
All versions of OS X including 10.4.0 up to 10.10 beta ship with vulnerable versions of bash and sh.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271


Steps to Reproduce:
In a Terminal enter these to test if code in ENV variables is executed:

env x='() { :;}; echo vulnerable' /bin/bash -c "echo this is a test"
env x='() { :;}; echo vulnerable' /bin/sh -c "echo this is a test"


Expected Results:
This test should not echo “vulnerable” to a shell.


Actual Results:
vulnerable


Regression:
csh, tcsh, zsh not affected.


Notes:
On OS X sh and bash are actually both bash, but different copies (not sh symlinked to bash like on most Linuxes) of bash. Both show the same version numbers but are in fact different binaries. So patching /bin/bash alone will NOT fix the vulnerability!


$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.9.5
BuildVersion:   13F34
 
$ /bin/bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
 
$ /bin/sh --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
 
$ file /bin/bash /bin/sh
/bin/bash: Mach-O universal binary with 2 architectures
/bin/bash (for architecture x86_64):    Mach-O 64-bit executable x86_64
/bin/bash (for architecture i386):      Mach-O executable i386
/bin/sh:   Mach-O universal binary with 2 architectures
/bin/sh (for architecture x86_64):      Mach-O 64-bit executable x86_64
/bin/sh (for architecture i386):        Mach-O executable i386
 
$ ls -la /bin/bash /bin/sh
-r-xr-xr-x  1 root  wheel  1228240 Oct 21  2013 /bin/bash
-r-xr-xr-x  1 root  wheel  1228304 Oct 21  2013 /bin/sh
 
$ sha256 /bin/bash /bin/sh
SHA256(/bin/bash)= 737867f9e519c2eae2b064c33dc0608b283ebd6045fcf8b19736651ec34c0e37
SHA256(/bin/sh)= 44263e3a6143203e598154b1e019239aebf31a6663d62cb1a926eef1743549da