The 'Bash Bug' and PPC

[2984839]

I tried the TFF blog fix and messed up Terminal. I had to re-install Snow Leopard from scratch and re-import everything. Needless to say, I'm not going to mess with this on Tiger or Leopard.

I hate command lines.

Messed up in what way? Did you run "exec tcsh" or some other non Bash shell before you started?

 

[archtopshop]

The TenFourFox Blog fix worked fine for me. I applied it to 5 Leopard machines and 1 Tiger partition.

My Debian 7.6 drive updated itself. That was nice.

 

[robertdsc]

Messed up in what way? Did you run "exec tcsh" or some other non Bash shell before you started?

I got to this step here:

sudo mv /bin/bash /bin/bash_old (enter your password)
sudo mv /bin/sh /bin/sh_old (enter your password if needed)

and forgot to add the bash_old part. I couldn't make sense of what the Terminal was trying to tell me. I quit and restarted, then got an error that said [Process Completed] and no way to enter any commands.

In response, I simply erased a spare drive that was already in the Mac and linstalled from scratch, then copied everything over.

I don't know much about command lines and this episode taught me to skip them entirely.

 

[2984839]

I got to this step here:



and forgot to add the bash_old part. I couldn't make sense of what the Terminal was trying to tell me. I quit and restarted, then got an error that said [Process Completed] and no way to enter any commands.

In response, I simply erased a spare drive that was already in the Mac and linstalled from scratch, then copied everything over.

I don't know much about command lines and this episode taught me to skip them entirely.

Everything in the system that uses Bash is hardcoded to look for the binary file titled "bash" in the /bin directory. Right now, that binary is the insecure version. What that step does is take your existing Bash binary and essentially rename it from "bash" to "bash_old". This is important because it ensures that the system no longer uses the old version. When you rename the new version from "bash-4.3.26.whatever" to "bash", you are ensuring that the updated version is used in place of the old one.

Now, you could skip that step and simply rename the updated "bash-4.3.26.whatever.it's.called" file to "bash" and it would overwrite your existing binary with the new one, but then you would have no backup. Doing it this way gives you a file you could always rename back from "bash_old" to "bash" and your system would then be using the old version again.

 

[MysticCow]

Exactly.
5. Disable all types of sharing on your PPC system other than those that you *MUST* have for your workflow. (At this point, your PPC system running an old version of OS X should *NOT* be a server.)
- If possible, disable *ALL* sharing from the PPC side, and open shares on the other machine so your PPC connects TO the other machine, rather than the other machine connecting to your PPC.

Note, this is important for any PPC system that can access the internet. If you are using it on a purely-internal network with no internet connectivity, go ahead and do whatever you want.

As I said after #5, you should not be using a PPC system running OS X as an internet-facing server. OS X 10.5 and earlier is missing many security updates that are vital on an internet-facing server.

I did the selective quote for effect. If you use your PPC for a music/video streamer that will never leave the security of your household, then you should be fine without the patch. If you use it for an intrAnet server (i.e. internal company webpage that will never leave the security of the company), then you're fine. If you use it for an outside web server, then do the update.

It looks like it all depends on what you use it for as to whether or not you need to patch it. And we have to patch it ourselves, since Apple told all of us users to go to iHell a few years back.

 

[2984839]

I did the selective quote for effect. If you use your PPC for a music/video streamer that will never leave the security of your household, then you should be fine without the patch. If you use it for an intrAnet server (i.e. internal company webpage that will never leave the security of the company), then you're fine. If you use it for an outside web server, then do the update.

It looks like it all depends on what you use it for as to whether or not you need to patch it. And we have to patch it ourselves, since Apple told all of us users to go to iHell a few years back.

I wouldn't be comfortable leaving it unpatched on a moderate to large intranet. It's common for other computers on an intranet to get compromised, which then exposes everything inside the network to attacks. I've seen this on small and large business networks, plus university networks. Obviously, 10.5 and earlier are insecure in many other ways as well, so the concerns remain whether you patch Bash or not.

If it's a home intranet and you control every computer personally, it's easier to manage safely.

 

[MysticCow]

I wouldn't be comfortable leaving it unpatched on a moderate to large intranet. It's common for other computers on an intranet to get compromised, which then exposes everything inside the network to attacks. I've seen this on small and large business networks, plus university networks. Obviously, 10.5 and earlier are insecure in many other ways as well, so the concerns remain whether you patch Bash or not.

If it's a home intranet and you control every computer personally, it's easier to manage safely.

I don't feel very comfortable leaving it unpatched, period. But I do understand a lot of people shut down their brains the moment "go to the command line" comes up. If it's a step by step instruction like Kaiser used, then why not use the step by step? That makes it as simple as copy and paste.

 

[Nameci]

While the steps posted above seem out of action at the moment, here's how you can build and replace your own. All you need is an internet connection and Xcode 3.1 or later to be installed. Just copy and paste the lines one at a time and you'll be all done. If at any point you get an error, stop and post the error. Failure to stop could lead to problems. Will work on 10.5.8 through 10.9.4.

cd /tmp/
mkdir bash-fix
cd bash-fix
curl -k https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl -k https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
cd ..
xcodebuild
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
build/Release/bash --version # GNU bash, version 3.2.52(1)-release
build/Release/sh --version   # GNU bash, version 3.2.52(1)-release
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin
sudo chmod a-x /bin/bash.old /bin/sh.old

Tried on 10.6.8, and it works. Flawless.

 

[Intell]

Tried on 10.6.8, and it works. Flawless.

Note that those instructions only patch one of the security holes. To patch them both, visit the Tenfourfox blog for detail to patch both exploits.

 

[Nameci]

Note that those instructions only patch one of the security holes. To patch them both, visit the Tenfourfox blog for detail to patch both exploits.

Unfortunately, I cannot access the blog for some Great Firewall of China reasons. Great!

 

[Intell]

Here's a PDF of the post. The download URL didn't make it, so it's below.

http://sourceforge.net/projects/tenfourfox/files/tools/bash-4.3.26-10.4u.gz/download

 

[Nameci]

Here's a PDF of the post. The download URL didn't make it, so it's below.

http://sourceforge.net/projects/tenfourfox/files/tools/bash-4.3.26-10.4u.gz/download

Great, thanks Intell. Living here in China is really a pain in the @55. Google is blocked, most of "western sites" are blocked, unless you have a vpn. Connections are not that reliable.

A bit of OT, accommodation and food is great though.

 

[Intell]

Here's another goodie. I've packaged Cameron Kaiser's (Tenfourfox blog) compiled bash and sh into an Installer package. Just install it like a normal package. It also backs up your current bash and sh binaries, unless they've already been backed up. It will work on any 10.4 or higher system. It is provided as is and I am not responsible if it breaks your machine. I've installed in on my machines and everything is working correctly.

 

[tigerintank]

thanks for putting that together - appreciate the effort.

will run it on my iMac g5 over next day or 2.

 

[n0cus]

Here's another goodie. I've packaged Cameron Kaiser's (Tenfourfox blog) compiled bash and sh into an Installer package. Just install it like a normal package. It also backs up your current bash and sh binaries, unless they've already been backed up. It will work on any 10.4 or higher system. It is provided as is and I am not responsible if it breaks your machine. I've installed in on my machines and everything is working correctly.

You are a legend Intell.

 

[robertdsc]

Here's another goodie. I've packaged Cameron Kaiser's (Tenfourfox blog) compiled bash and sh into an Installer package. Just install it like a normal package. It also backs up your current bash and sh binaries, unless they've already been backed up. It will work on any 10.4 or higher system. It is provided as is and I am not responsible if it breaks your machine. I've installed in on my machines and everything is working correctly.

Thank you very much!

 

[tom vilsack]

Worked perfect on my pb Ti with Tiger...thank you!

osx-s-powerbook-g4:~ osx$ bash --version
GNU bash, version 4.3.26(2)-release (powerpc-apple-darwin8.11.0)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

 

[poiihy]

I thought Apple said that this bug is not exposed if advanced bash thing is not enabled.

 

[MysticCow]

I thought Apple said that this bug is not exposed if advanced bash thing is not enabled.

Apple basically said you need to be doing ninja tricks with the command line to really be vulnerable and they're working on a fix.

Apple has also told PowerPC users to go to iHell and get a new Mac that has every single little thing soldered onto the board.

So unless we patch it ourselves for PPC, we're not going to ever see a fix.

 

[2984839]

Those of you who have patched it ought to visit this site regularly and check the vulnerability tests: https://shellshocker.net/

They're up to 5 different CVEs and 5 separate tests to run. Also, new attack vectors are being discovered. Just keep an eye on it because it's quite possible you'll have to update Bash again soon.

 

[jbarley]

Here's another goodie. I've packaged Cameron Kaiser's (Tenfourfox blog) compiled bash and sh into an Installer package. Just install it like a normal package. It also backs up your current bash and sh binaries, unless they've already been backed up. It will work on any 10.4 or higher system. It is provided as is and I am not responsible if it breaks your machine. I've installed in on my machines and everything is working correctly.

Thank you Intell, much appreciated.

 

[MysticCow]

Has anyone tried using MacPorts to update bash as stated on this site:

https://shellshocker.net

Edit: tried and it fixed my mini on 10.9.5. Not sure about PPC. Will try tomorrow, maybe, if I have the time.

 

[ifrit05]

I personally am a Zsh user, but it can't hurt to update Bash on my PPC machines.

 

[cjmillsnun]

In all fairness, aside from the shellshock bug being discussed, I wouldn't worry too much about running your PPC Mac on the open internet. Most exploits are for Windows, and 99.99% of the ones that are left are for Intel Macs. browse carefully and you should be fine.

Having said that, most people don't browse on the open internet, they browse behind some kind of router, which will have NAT addressing on it. Get this exploit patched using the methods outlined above and you'll be fine.

 

[weckart]

I personally am a Zsh user, but it can't hurt to update Bash on my PPC machines.

Any particular reason to prefer one shell over another?