Unless you wrote your own compiler from machine code, you are still trusting the people who wrote your compiler. You are also trusting the people who wrote the microcode in your CPU. You are trusting third parties irrespective of whether or not you are running open source, and as demonstrated by the leaked NSA docs, there are bugs available for your hard drive firmware that you will never find.
IN short: you're boned and trusting third parties irrespective of how open your OS is - unless all of your hardware is open, all of the firmware for your hardware is open, and you have personally audited all of it.
Correct. For this to be exploited, bash needs to be spawned by an internet facing service and pass environmental variables into a bash shell. Nothing on OS X does this by default. OS X does not run the open source dhcpd, and is thus not exploitable via dhcpd, and does not run apache unless manually enabled, and manually configured to run mod_cgi. Remote ssh is also not enabled on the mac by default.
Far more vulnerable is Linux which runs dhcpd on any machine with a non-static IP, through which bash is exploitable.
But hey, let's make out that OS X is worse off than Linux in this case.
The only people who are going to get butt-hurt over this are a tiny fraction of Linux users who represent a tiny fraction of a tiny fraction of the GPU market.
The next person to mention spaghetti stacks to me is going to have his head knocked off. -- Bill Conrad