The 'Bash Bug' and PPC

Discussion in 'PowerPC Macs' started by roadbloc, Sep 25, 2014.

  1. roadbloc macrumors G3

    roadbloc

    Joined:
    Aug 24, 2009
    Location:
    UK
    #1
    Well, I know for certain that Tiger is vulnerable to the bash bug and I was wondering what it means for us PowerPC users who will most likely not get a fix from Apple.

    We had to abandon Flash due to vulnerabilities, but is it now time to abandon PPC altogether? Or is this simply a case of a vulnerability being over-hyped and in reality we're actually probably going to be okay?

    Discuss. :)
     

    Attached Files:

  2. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #2
    Just recompile the bash and sh binaries from Apple's source and patch. It takes about 10 minutes.
     
  3. vlark macrumors member

    Joined:
    Mar 13, 2014
    #3
    Well, sure, for the truly technical minded with the right software installed to do this.

    But I'm not that technically minded. Can someone on these boards roll up a patched versions for 10.3.9, 10.4.11 and 10.5.8 PPC and post them, along with installation instructions? I'm clueless on how to go about patching Unix things. I avoid the terminal unless I have explicit step-by-step instructions on what to do. Yes, it's nice that Macs have the power of Unix under the hood, but I don't pop my engine and tinker with it on a regular basis (even though I know I probably should).
     
  4. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #4
    All you need is Xcode to be installed. That's it. Later today I'll be able to post the complete Terminal lines to build and install the patched versions.
     
  5. vlark macrumors member

    Joined:
    Mar 13, 2014
    #5
    I only have Xcode from the Tiger retail disk; I don't have Xcode for Leopard. Is it still available from ADC?
     
  6. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #6
    I believe it is, but it's a little hard to find.
     
  7. archtopshop, Sep 25, 2014
    Last edited: Sep 25, 2014
  8. Intell, Sep 25, 2014
    Last edited: Oct 1, 2014

    Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #8
    While the steps posted above seem out of action at the moment, here's how you can build and replace your own. All you need is an internet connection and Xcode 3.1 or later to be installed. Just copy and paste the lines one at a time and you'll be all done. If at any point you get an error, stop and post the error. Failure to stop could lead to problems. Will work on 10.5.8 through 10.9.4.
     
  9. archtopshop macrumors regular

    Joined:
    Dec 13, 2011
    #9
    OK, I fixed the link to the tenfourfox blog.
     
  10. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #10
    The link was fine, I was referring to the content within the link:
     
  11. bunnspecial macrumors 603

    bunnspecial

    Joined:
    May 3, 2014
    Location:
    Kentucky
    #11
    Intell's instructions above worked great on my MBP running 10.9.

    I tried it on my iMac G4 running 10.5(after installing Xcode from the Leopard DVD). When I got to the compiling step, it gives me an error. Here's the full text of what I'm seeing

     
  12. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #12
    What version of Xcode do you have installed? You can find out by running "xcodebuild -version" in Terminal.
     
  13. bunnspecial macrumors 603

    bunnspecial

    Joined:
    May 3, 2014
    Location:
    Kentucky
    #13
    Here's what I get back

     
  14. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #14
    That version of Xcode is too old to properly build bash and sh. You need at least version 3.1. You can download the last version for Leopard by going to https://developer.apple.com/downloads/index.action and signing it with your free developer account or your Apple ID, then searching for "Xcode 3.1.4". Download the 993.04MB DMG to your OS X 10.5.8 machine and then install it. Once installed, start over with building bash and sh.
     
  15. bunnspecial macrumors 603

    bunnspecial

    Joined:
    May 3, 2014
    Location:
    Kentucky
  16. bunnspecial macrumors 603

    bunnspecial

    Joined:
    May 3, 2014
    Location:
    Kentucky
    #16
    By the way, I just tried the above fix on my Macbook running 10.10, and it works fine there also.

    Thanks again Intell!
     
  17. roadbloc thread starter macrumors G3

    roadbloc

    Joined:
    Aug 24, 2009
    Location:
    UK
    #17
    Fixed

    I tried out the solution on the TenFourFox page since I didn't have XCode (or Leopard) and I'm happy to report it works perfectly too. Glad we have a few fixes for this around now. :)

    I'll post the TenFourFox blog solution here for y'all to use.
    Code:
     Bashing bash one more time: updated universal 4.3.26 covering both bash flaws
    See the previous entry, but in short, bash has been shown to have a pretty nasty little vulnerability that causes it to inadvertently execute shell commands in the environment you pass it. This attack does work on Power Macs because most shell commands are cross-platform, and appears to exist on all versions of OS X.
    
    The solution is easy: build a new bash from the newly patched source code. As a service to you, I have done so, and compiled it for PowerPC and Intel so it will also work for users on 10.6 who are not receiving updates either. The version earlier today had a preliminary version of the patch which does not fix a second variant vulnerability. This version does. If you used one of the "build from source" tricks that were circulating earlier today (MacRumors, etc.), your version does NOT have this second issue patched. Either wait for the public source trees to update and rebuild it (likely early tomorrow), or use this one.
    
    The bash these steps will install works on 10.4 all the way to 10.9 on 32-bit Intel, 64-bit Intel and PowerPC. It requires no other dependencies. The idea is to replace your system bash -- yes, you can use Homebrew, Tigerbrew, MacPorts, etc., to get an updated copy, but your built-in bash is still vulnerable unless you replace it. This is designed to accomplish that. WARNING AGAIN: If you are not comfortable with the Terminal, get someone to help you!
    
        In a Terminal.app window, verify that you have a vulnerable system so that you can see what that looks like (the command is all one line):
    
        env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    
        It should print
    
        vulnerable
        this is a test
    
        Check the second vulnerability. This creates a file called echo with the date in it, if your system is vulnerable:
    
        env X='() { (a)=>\' sh -c "echo date"; cat echo
    
        It should print something like (the messages and of course the time will vary):
    
        bash: X: line 1: syntax error near unexpected token `='
        bash: X: line 1: `'
        bash: error importing function definition for `X'
        Thu Sep 25 22:12:49 PDT 2014
    
        (Delete the file it makes before you continue! rm echo)
    
        Download the patched bash 4.3.26. Put it in your home directory. If necessary, double-click to decompress it so that you have a file in your home directory called bash-4.3.26-10.4u.
    
        Close all terminal windows and programs just to make sure you won't stomp on bash while a program is trying to call it. Start Terminal and have exactly one window open.
    
        In that terminal window:
    
            exec tcsh
            chmod +x bash-4.3.26-10.4u
    
            If you replaced /bin/bash (and/or /bin/sh) with the patch earlier today, DO NOT DO THE NEXT TWO COMMANDS. If you have not already replaced them, go ahead; these will put the old ones in a safe place, just in case.
    
            sudo mv /bin/bash /bin/bash_old (enter your password)
            sudo mv /bin/sh /bin/sh_old (enter your password if needed)
    
            Everybody does these:
    
            sudo cp bash-4.3.26-10.4u /bin/bash (enter your password if needed)
            sudo cp bash-4.3.26-10.4u /bin/sh (enter your password if needed)
    
        Test it stuck by trying the statements again:
    
        env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    
        It should print
    
        bash: warning: x: ignoring function definition attempt
        bash: error importing function definition for `x'
        this is a test
    
        Now, try the second one:
    
        env X='() { (a)=>\' sh -c "echo date"; cat echo
    
        It should print
    
        bash: X: line 1: syntax error near unexpected token `='
        bash: X: line 1: `'
        bash: error importing function definition for `X'
        date
        cat: echo: No such file or directory
    
        Restart your Mac as a paranoia to make sure everything is using the new copy of bash.
    
        Bask in the glow. Then, find a shell that doesn't suck.
     

    Attached Files:

  18. vlark macrumors member

    Joined:
    Mar 13, 2014
    #18
    The directions from the TenFourFox blog say "home directory". Is he talking about something in Unix, or just the base USER directory for an admin account, where all your Mac OS folder like documents, music, etc. are?
     
  19. roadbloc thread starter macrumors G3

    roadbloc

    Joined:
    Aug 24, 2009
    Location:
    UK
    #19
    Yes he is talking about the OS X user directory. The default place that Terminal (and Finder) opens to.

    /Users/<username>/

    :)
     
  20. vlark macrumors member

    Joined:
    Mar 13, 2014
    #20
    Ok, good to know! I'll try this later when I get home.
     
  21. 556fmjoe macrumors 65816

    556fmjoe

    Joined:
    Apr 19, 2014
    #21
    For most users' computers, it's something that should not be worried about, but should be fixed as soon as possible.

    For servers, it's something that should be worried about extensively and should be fixed immediately.

    Of course, you'd have to be utterly insane to connect a computer with 10.5 or earlier to the open internet in the first place. In any case, if you follow the guidelines in this thread or at TenFourFox, you'll have it fixed.
     
  22. Anonymous Freak macrumors 601

    Anonymous Freak

    Joined:
    Dec 12, 2002
    Location:
    Cascadia
    #22
    Exactly.

    Solution if you can't/won't compile the update yourself:
    1. Make sure your PPC system is connecting to the internet via a secure link (wired Ethernet or WPA WiFi, not WEP or open WiFi.)
    2. Ensure that your PPC system is connecting through a router with NAT and a Firewall.
    3. Ensure that your system is *NOT* configured as the "Default host", "DMZ", etc. within your router.
    4. Ensure that there are no ports being forwarded in your router to your PPC system.
    5. Disable all types of sharing on your PPC system other than those that you *MUST* have for your workflow. (At this point, your PPC system running an old version of OS X should *NOT* be a server.)
    - If possible, disable *ALL* sharing from the PPC side, and open shares on the other machine so your PPC connects TO the other machine, rather than the other machine connecting to your PPC.
    6. Disable "Remote Management".
    7. Turn on OS X's firewall, with maximum security that is usable for your setup.
    8. Enable "Stealth mode" in the OS X firewall.
    9. Block all incoming connections in the OS X firewall.

    Note, this is important for any PPC system that can access the internet. If you are using it on a purely-internal network with no internet connectivity, go ahead and do whatever you want.

    As I said after #5, you should not be using a PPC system running OS X as an internet-facing server. OS X 10.5 and earlier is missing many security updates that are vital on an internet-facing server.
     
  23. tom vilsack macrumors 68000

    tom vilsack

    Joined:
    Nov 20, 2010
    Location:
    ladner cdn
    #23
    Guess a good idea to do with my Tiger Ti powerbook...but isn't it already pretty open to security risks as having not been supported for years....
     
  24. 556fmjoe macrumors 65816

    556fmjoe

    Joined:
    Apr 19, 2014
    #24
    For an OS as old as that, the Bash vulnerability is probably relatively minor in the grand scheme of things, unless you are operating a server, have some system scripts that invoke Bash and use untrusted inputs from the internet, or allow remote SSH access.

    Still, it's fixable and not a huge amount of work, so it's worth fixing.
     
  25. robertdsc, Sep 26, 2014
    Last edited: Sep 26, 2014

    robertdsc macrumors regular

    robertdsc

    Joined:
    Jan 28, 2014
    #25
    I tried the TFF blog fix and messed up Terminal. I had to re-install Snow Leopard from scratch and re-import everything. Needless to say, I'm not going to mess with this on Tiger or Leopard.

    I hate command lines.
     

Share This Page