The 'Bash Bug' and PPC

[Intell]

Keep them there, but you really should be using an up to date version of bash and sh.

 

[jason.j]

Keep them unless you aren't going to update Bash. It's good to have those backup copies sitting there in case you need to revert to them again.

Even if you don't plan to update Bash at all, it doesn't hurt anything to have them there.

Thanks, what is a safe way of backing up the files so I don't mess up permissions if/when I do update Bash?

 

[MysticCow]

Thanks, what is a safe way of backing up the files so I don't mess up permissions if/when I do update Bash?

The best way is, most likely, to use the installer Intell posted. That includes 10.4, 10.5, and 10.6 Macs, because Apple has told all of them essentially to go to iHell.

NOTE: I did not say PPC can run 10.6, so don't start.

 

[2984839]

Thanks, what is a safe way of backing up the files so I don't mess up permissions if/when I do update Bash?

Just keep the "bash_old" and "sh_old" files where they are. Their permissions should already be correct. If at any point you need to revert to the old versions of bash and sh, repeat the 2 commands in post #93 of this thread.

 

[Intell]

The _old files do not have the correct permissions, for sake of security. They have been rendered executable by the Installer package. That is why simply deleting the 4.3 bash and replacing it with the _old will lead to a broken system. Using the cp command copies the _old files over the newer ones while keeping the proper permissions.

 

[jason.j]

Keep them there, but you really should be using an up to date version of bash and sh.

Since tenfourfox is reporting it's not vulnerable to CVE-2014-6277 but after installing your bash patch, which you recompile from tenfourfox, I still got a message saying I was vulnerable I'm not sure how to proceed?

If I post a comment re: the vulnerability at tenfourfox's website, what shall I refer to your bash patch as, they'll want to know what I used before they recompile an updated version?

 

[Intell]

I didn't recompile anything. I only packaged it. The bash from Tenfourfox is the same bash my installer patches. It's how the vulnerability works that makes is fail the test, but not work in actual exploitation of the vulnerability. Read about it here: http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html

 

[jason.j]

I didn't recompile anything. I only packaged it. The bash from Tenfourfox is the same bash my installer patches. It's how the vulnerability works that makes is fail the test, but not work in actual exploitation of the vulnerability. Read about it here: http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html

My mistake on the terminology. I'll re-run your installer since I trashed the old_ files. I'd just started reading the blog your referenced after visiting tenfourfox's website. Thanks Intell.

 

[Intell]

Those _old files are the only copies of Apple's stock bash and sh. My Installer package does not contain them. If you trashed them, then rerun the Installer, it will back up the current Tenfourfox versions as _old files. That's why it is best that you do not touch those files.

 

[jason.j]

Those _old files are the only copies of Apple's stock bash and sh. My Installer package does not contain them. If you trashed them, then rerun the Installer, it will back up the current Tenfourfox versions as _old files. That's why it is best that you do not touch those files.

Would it be best to reinstall my OS then run your installer since I messed this up? I did place copies of the _old files in another folder before I trashed them and I have time machine backups if they're of any use.

 

[Intell]

You can restore them from a Time Machine backup. But there isn't much need to put them back if the updated versions are working correctly.

 

[jason.j]

You can restore them from a Time Machine backup. But there isn't much need to put them back if the updated versions are working correctly.

I'll restore my bash, not bin, and sh files from a time machine backup before I ran the installer the first time then re-run it and be done, does that sound like a good plan?

 

[Intell]

That would work.

 

[jason.j]

That would work.

Thanks Intell!

 

[EllenK]

Intell - Thank you so much. I searched for an installer for days before being referred to this thread. I ran your installer on 2 Macs running 10.6.8 and everything is great; I'm eternally grateful. [I too get test results saying that CVE-2014-6277 is vulnerable, but I will ignore them.]

 

[Intell]

You're welcome. Nice to see some older 10.6 Macs still kicking around.

 

[vlark]

Thanks for all your work on this, Intell!

There's a new version of bash posted over at the TenFourFox blog. Anyway we can get an updated installer?

 

[Intell]

I'll be posting the repackaged 4.3.30 bash within a few hours.

 

[vlark]

I'll be posting the repackaged 4.3.30 bash within a few hours.

You.Are.The.Man!

 

[Intell]

Here's the newest version, bash 4.3.30(5) from the Tenfourfox blog packaged as an Installer package. Just install it over any of the previously installed bash patch packages.

 

[shiekh]

Beyond wonderful; I have a G5 PowerMac that I use for day to day work at home, and this makes the investment worthwhile.

 

[jason.j]

Here's the newest version, bash 4.3.30(5) from the Tenfourfox blog packaged as an Installer package. Just install it over any of the previously installed bash patch packages.

Thanks Intell

 

[MysticCow]

Here's the newest version, bash 4.3.30(5) from the Tenfourfox blog packaged as an Installer package. Just install it over any of the previously installed bash patch packages.

Intell, you are AMAZING!!!! Thank you so much for helping us keep our PPC's safe.

 

[Intell]

You're welcome.

 

[MysticCow]

You're welcome.

Is this the "last" one or are there more bash bugs on the horizon that need a new new new new new new new new new new new new version?