Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

The 'Bash Bug' and PPC

Intell said:
While the steps posted above seem out of action at the moment, here's how you can build and replace your own. All you need is an internet connection and Xcode 3.1 or later to be installed. Just copy and paste the lines one at a time and you'll be all done. If at any point you get an error, stop and post the error. Failure to stop could lead to problems. Will work on 10.5.8 through 10.9.4.

Code: 
cd /tmp/
mkdir bash-fix
cd bash-fix
curl -k https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl -k https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
cd ..
xcodebuild
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
build/Release/bash --version # GNU bash, version 3.2.52(1)-release
build/Release/sh --version   # GNU bash, version 3.2.52(1)-release
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin
sudo chmod a-x /bin/bash.old /bin/sh.old
Click to expand...

Thank you for saving my PB G4.
 
I know this is crazy, but is it possible to compile a version for Panther?
 
Intell said:
Yes, however you would have to do that yourself.
Click to expand...

So what would the steps be to do that for 10.3.9, assuming I installed Xcode with the 10.3.9 sdk?

----------
Intell said:
Yes, however you would have to do that yourself.
Click to expand...

And it seems Cameron posted a NEW version of bash, too, to 4.3.28. Will you be updating your installer late tonight or tomorrow?
 
The needed steps are similar to those for manually patching Apple's bash, but with the proper patches and for Panther. I am unable to outline how to do that. I will updating my Installer package later tonight for the new version.
 
Intell said:
Don't use those instructions, they are out dated and only patch one hole. Use the latest Installer package in post # 55 to patch more exploits.
Click to expand...

Thank you, Intell! I originally followed the steps in your blog but I then used the installer package you mentioned. Your instructions in the blog are very helpful.
 
I am not affiliated with the Tenfourfox blog. However thank you for the comments about the Installer package.
 
Here is the latest bash and sh from the Tenfourfox blog packaged as an Installer package. Just install over any previous ones. As before, use at your own risk.
 
Last edited:
Intell said:
Here is the latest bash and sh from the Tenfourfox blog packaged as an Installer package. Just install over any previous ones. As before, use at your own risk.
Click to expand...

I am immensely grateful that someone put things in package installer form, but it might be nice to give it a name so we can follow versions, such as "Bash 4.3.27(4) Patch"
 
shiekh said:
I am immensely grateful that someone put things in package installer form, but it might be nice to give it a name so we can follow versions, such as "Bash 4.3.27(4) Patch"
Click to expand...

The names are included in the Installer package and are shown at the first screen of the package. The current included version is 4.3.28(4).
 
Intell said:
The names are included in the Installer package and are shown at the first screen of the package. The current included version is 4.3.28(4).
Click to expand...

Not meaning to be a killjoy, but this way a user needs to download the package and start installation to determine if it is needed. It merits repeating how indebted we are to have such an installer available; I run an old Power Mac at home, and it continues to serve me well.
 
Intell said:
Here is the latest bash and sh from the Tenfourfox blog packaged as an Installer package. Just install over any previous ones. As before, use at your own risk.
Click to expand...

Thanks Intell. I ran your installer and got these results when I entered shellshocker.net's "curl https://shellshocker.net/shellshock_test.sh | bash" command into terminal.

_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
101 2533 101 2533 0 0 609 0 0:00:04 0:00:04 --:--:-- 12539
CVE-2014-6271 (original shellshock): not vulnerable
bash: line 16: 2750 Bus error bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

I also entered "env x='() { :;}; echo vulnerable' bash -c 'echo hello'" command and got vulnerable in the reply. Any suggestions?
 
Last edited:
I don't compile it. You'll have to notify the Tenfourfox.blogspot.com. He'll recompile an updated version at which time I'll repackage it. It is stated here: http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html that the version he provided and that in the Installer package is not vulnerable to CVE-2014-6277. When I try "env x='() { :;}; echo vulnerable' bash -c 'echo hello'" on my system with the same bash, I do not get vulnerable. Make sure you restart your machine.
 
Intell said:
It is stated here: http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html that the version he provided and that in the Installer package is not vulnerable to CVE-2014-6277. When I try "env x='() { :;}; echo vulnerable' bash -c 'echo hello'" on my system with the same bash, I do not get vulnerable. Make sure you restart your machine.
Click to expand...

Rebooted and ran the 2nd command without a problem, thanks. You posted earlier that your installer "backs up your current bash and sh binaries" How do I find & revert to the original configuration, if possible? I'm thinking of trying tenfourfox's fix to see if I can remedy the CVE-2014-6277 vulnerability and figure I should have my original setup, does that sound like a good plan?
 
The fix on the tenfourfox blog is no different than the files provided in the Installer. To revert back to the stock Apple bash and sh, run the following commands in Terminal:
Code: 
sudo cp /bin/sh_old /bin/sh
sudo cp /bin/bash_old /bin/bash
 
Intell said:
The fix on the tenfourfox blog is no different than the files provided in the Installer.
Click to expand...

Ok, I'll wait for your update then. I'm not sure what to say I did/used (your installer) to tenfourfox since they're reporting it's not vulnerable to CVE-2014-6277. Thanks for your help btw.
 
Intell said:
To revert back to the stock Apple bash and sh, run the following commands in Terminal:
Code: 
sudo cp /bin/sh_old /bin/sh
sudo cp /bin/bash_old /bin/bash
Click to expand...

Not being that comfortable with terminal... should I enter those commands one at a time or copy and paste the entire text? I got an ominous terminal message warning about data loss when I pasted it either way so I aborted. I'd like to revert to my original and make a copy before I mess with it anymore but I'm not sure where it's located, or even what it's called. I believe it's "bash," I'm after but am not sure where my original is located. In the bin folder there's a bash (modified 10.1.2014) and a bash_old (modified 6.24.2010). I don't see anything modified today, 10.6.2014 Thanks...
 
Last edited:
jason.j said:
Not being that comfortable with terminal... should I enter those commands one at a time or copy and paste the entire text? I got an ominous terminal message about data loss when I pasted it either way so I aborted. I'd like to revert to my original and make a copy before I mess with it anymore but I'm not sure where it's located, or even what it's called to search for "it." thanks...
Click to expand...

One at a time.

The first command will take the file named "sh_old" in the /bin directory and make a copy of it called "sh", also in the /bin directory. The second command will take the file "bash_old" and make a copy called "bash", also both in the /bin directory. If there are any existing files named "sh" and "bash" in /bin, this will overwrite them.

Since the operating system knows that the files "sh" and "bash" in the /bin directory are your shell binaries, this effectively restores your original version of the binaries, assuming you had copied them as "sh_old" and "bash_old".

If you backed them up with a different name, replace "sh_old" and "bash_old" in the commands with whatever you named the backup versions.
 
Only use the above commands to revert. Using Finder or any other command will cause problems as it may not properly set the permissions.
 
Intell said:
Only use the above commands to revert. Using Finder or any other command will cause problems as it may not properly set the permissions.
Click to expand...

Ok, I entered both commands separately and saw the changes apply in the bin folder. I rebooted and still see bash and bash_old as well as sh and sh_old in the bin folder. Should I/can I delete both bash_old and sh_old now that they're overwritten? Looking at time machine backups I only have one copy of both files.

What is the safe way of making copies of them and where should I store the copies now that they're restored?

ps thanks so much
 
Last edited:
jason.j said:
Ok, I entered both commands separately and saw the changes apply in the bin folder. I rebooted and still see bash and bash_old as well as sh and sh_old in the bin folder. Should I/can I delete both bash_old and sh_old now that they're overwritten? Looking at time machine backups I only have one copy of both files.
Click to expand...

Keep them unless you aren't going to update Bash. It's good to have those backup copies sitting there in case you need to revert to them again.

Even if you don't plan to update Bash at all, it doesn't hurt anything to have them there.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back