NOTE: Apple have released their own patch now, and I highly recommend you use that one.
It can be found here: http://support.apple.com/kb/DL1769
No sooner than the dust settled on the first bash bug, have a few more vectors been found. And so the term "Shellshock" has been coined to refer to the recent spate of vulnerabilities affecting bash.
Unfortunately, MacOS (Mavericks) is not immune to this and the version of bash included with your installation is also vulnerable. I'm confident Apple will patch it soon, but incase you want to get it quickly patched ASAP you can follow the steps below to do so.
NOTE: If you don't have Xcode, you will need it to compile the replacement bash, and its a LARGE download. Be aware of this before proceeding.
Thanks to Loïc for the steps which I've tested and work fine.
- mkdir tmp && cd tmp
- curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
- cd bash-92/bash-3.2
- curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
- cd ..
- sudo cp /bin/bash /bin/bash.old
- sudo cp /bin/sh /bin/sh.old
- build/Release/bash --version # GNU bash, version 3.2.52(1)-release
- build/Release/sh --version # GNU bash, version 3.2.52(1)-release
- sudo cp build/Release/bash /bin
- sudo cp build/Release/sh /bin
Enjoy and adios for now. Keep those hashes cracking!