0

I want to update my Bash (and Sh) programs in my Mac OS X Snow Leopard (10.6.8), in light of the recent bugs to bash - Shellshock. I am purposely using 10.6.8, so I don't want to update to a newer version of OS X right now.

I have read this Q&A - How do I upgrade Bash in Mac OSX Mountain Lion and set it the correct path? but it doesn't work for me because I don't have [home?]brew (or Xcode, or any compiler, etc) installed. I'm just getting into doing programming on a Max OS X platform.

Btw, when I type brew update in terminal I get this output:

[489]$ brew update
-bash: brew: command not found

So, what steps (from scratch) do I need to do to be able to install a fixed version of bash for OS X 10.6.8?
Is it:

  1. Install XCode 3.2.6 (I'm currenlty downloading the 4.1 GB install file now)
  2. Install Homebrew (how though?)
  3. Follow steps in How do I upgrade Bash in Mac OSX Mountain Lion and set it the correct path? ?

Or, since I am using OS X 10.6.8, do I need to download Bash code from somewhere and compile it using XCode 3.2.6 (or 4.2 if I paid for it) and manually replace the /bin/bash and /bin/sh files?

Like I said, I am a new to all this on a Mac, but I do have [a bit out-of-date] programming experience.

Thanks.

C-K
  • 1
  • 1
  • 1

4 Answers4

2

Homebrew is a package management system for Mac. A lot of people use it to manage mysql, python, and (as you could have guessed) bash. What Homebrew does is simply install these packages and makes them available to the user. While some people do use it for bash, updating bash with Homebrew doesn't protect their entire system from shellshock (which my team tested and identified today).

What I would suggest you do is download XCode for your version of OS X, download the xcode command line utilities (by going to preferences -> downloads -> command line utilities) and then running this script I wrote. To be clear, this script is simply following the same steps outlined here, I just made it easier for the dev team to update.

You can copy this code into an executable bash script and run it using ./bash-fixer.sh

#!/bin/bash
# In all good conscience, I can not guarantee anything in this script. 
# I've tested it to the best of my ability, but please use at your own risk

    if [ "$EUID" -eq 0 ]; then
      echo "DO NOT RUN AS SUDO! Running as sudo will break the world and will make your computer very unhappy."
      echo "There are commands later that are appropriately sudo'd."
      exit 1
    fi

    xcode-select --version

    if [[ $? != 0 ]] ; then
      echo "You need to install the xcode stuff that makes magic. Let's try that together"
      xcode-select --install || echo "Something broke. Try running \"xcode-select --install\" manually" && exit 1
    fi

    cd ~/
    test=$( env x='() { :;}; echo vulnerable' bash -c 'echo hello' | wc -l )

    if [[ ${test} -lt 2 ]]; then
      echo "Your version of bash is up to date"
    else
      mkdir -p bash-fix
      cd bash-fix
      curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
      cd bash-92/bash-3.2
      for i in $(seq -f "%03g" 52 54); do
        curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-$i | patch -p0
      done
      cd ..

      xcodebuild
      sudo cp /bin/bash /bin/bash.old
      sudo cp /bin/sh /bin/sh.old

      echo
      echo
      echo "Current version of bash is $(build/Release/bash --version | head -1 | awk -F "version " '{ print $2 }')"
      echo "Current version of sh is $(build/Release/sh --version | head -1 | awk -F "version " '{ print $2 }' )"

      if [[ $(build/Release/bash --version) =~ "3.2.54(1)-release" && $(build/Release/sh --version) =~ "3.2.54(1)-release" ]]; then
        echo "So far so good. Let's do some more checks, because we like dilligence"
      else
        echo "The bash and shell versions are not showing up as being the most recent. Something is afoot!"
        exit 1
      fi

      if [[ "${test}" < 2 ]]; then
        echo "Your version of bash is up to date"
        exit 0
      else
        echo "Something went horribly wrong!"
        exit 1
      fi

      echo "Awesome. All checks have passed. Cleaning up, and removing executable privaleges from the old bash and sh, just in case"
      sudo cp build/Release/bash /bin
      sudo cp build/Release/sh /bin
      sudo chmod a-x /bin/bash.old /bin/sh.old

    fi

Let me know how you make out, and good luck!

paranoid
  • 415
  • 2
  • 5
  • Or, even better, Apple JUST released their patch, which can be found here: http://support.apple.com/kb/DL1769?viewlocale=en_US&locale=en_US – paranoid Sep 30 '14 at 01:21
  • Similar steps are shown in this article: http://www.macissues.com/2014/09/25/how-to-unofficially-fix-the-shell-shock-bash-vulnerability-in-os-x/ It worked just fine for me in Mac OS 10.6.8. Ran the vulnerability test to confirm that the change worked. – Robert Casey Oct 01 '14 at 17:19
  • bash-3.2 now has a few more patches: 052 through 057. Thus, change the "52 54" to "52 57" to get all the patches. The patches are plain text files, and you can personally inspect each one yourself by viewing each URL, for example https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-057 – Robert Munafo Nov 02 '14 at 04:33
2

You can also do it in all-terminal-style (Lion update package given):

# pkgutil --expand ~/BashUpdateLion.pkg ~/BashUpdate
# vi ~/BashUpdate/Distribution

edit the InstallationCheck and VolumeCheck functions to read like this:

function InstallationCheck(prefix) {
     return true;
}
function VolumeCheck(prefix) {
     return true;
}

and finally flatten it down to an installable package again

# pkgutil --flatten ~/BashUpdate ~/Desktop/BashUpdateModified.pkg
v86
  • 83
  • 7
1

Note that Apple released a set of official patch versions of Bash on 2014-09-29. However, the support only goes as far back as Lion, not back to Snow Leopard. So, you are still stuck with building and installing your own patched version on Snow Leopard.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-09-29-1 OS X bash Update 1.0

OS X bash Update 1.0 is now available and addresses the following:

Bash
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,
OS X Mavericks v10.9.5
Impact: In certain configurations, a remote attacker may be able to execute arbitrary
shell commands
Description: An issue existed in Bash's parsing of environment variables. This issue was
addressed through improved environment variable parsing by better detecting the end of
the function statement.
This update also incorporated the suggested CVE-2014-7169 change, which resets the
parser state.
In addition, this update added a new namespace for exported functions by creating a
function decorator to prevent unintended header passthrough to Bash. The names of all
environment variables that introduce function definitions are required to have a
prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via
HTTP headers.
CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy


OS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X Mavericks

To check that bash has been updated:

* Open Terminal
* Execute this command:
bash --version
* The version after applying this update will be:
OS X Mavericks:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

iQIcBAEBAgAGBQJUKdToAAoJEBcWfLTuOo7t4QEP/jrigiLB9GYO5JIdVHSFPUtx
MBr4hAe90LnyAIuhxny1PgAC8BZCPv4otm6DQBQSlX1PxLv8TWm8yp5IKCKJP6ZN
Smm+OqJLLWwcTOVv345bi5W9dp2nyZVLjWxx9MUfn4YLxKrBJ3fKyHWIycD0WpbD
4kfXW1G1JGTtyUX6Ge2lnhbOiYBPxJN2TSX4qEmix3KLmEwCwsZVgbjzW2ijNO0O
3AaUkFIICAECMCE+VZj/fGFQaEmYaPzpt3Tjy+X2NdXL8E0hnui4ymfU0DyR39Oz
8DQpP499hISeXucdAEH6b2mMO2pOmuDs6FWTSS6talT8ftLUpTmWqv2Rghto5ZXN
b8RZpOp9RUwurZPMq66BjbHfidEaLjMPCVcfAnjO6HwBaKGQ5kM5+ThPA5/DLSL6
gGPa4t3qM/JdQAzm8da9m62vjWZ1BXzIlLSmxpIq/5bDMpBNiA783f+uuDUjpQ/N
3SkKNn2U47VsCLYaoSSmL6FUBLsInnNvwkVyNsnMiEjMVn/BtV5ogAYAc8SSvGM7
Mlx9OBKYork0bNuViPK09j/8te74tt6t38B+0lb4mG5m1r2CyI96f2uVBpKkqDlj
K6INwsDZKqtg1Y+6xtnJb9F3ZNZarzSxZa2C8qKaVCH11vLaXVPJJCrYspWnV8yI
DrlKtF9VhcfUGTKJiRNX
=ZVVk
-----END PGP SIGNATURE——
Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
1

http://hacksagogo.wordpress.com/2014/10/02/shell-shock-os-x-bash-update-installer-for-snow-leopard/

Here’s for the crazy ones, the misfits, the trouble makers, the round pegs in the square holes. The ones who see things differently... and are still running Snow Leopard.

1.- Open bashUpdateLion.pkg in PackageMaker

2.- Goto project/raw editing mode and modify the functions “InstallationCheck” and “VolumeCheck” in the file “Distribution” to look like this:

function InstallationCheck(prefix) {
    return true; }

function VolumeCheck(prefix) {
    return true; }

3.- Hit “build” and choose a name for the installer package.

That’s all folks.

George Of The Jungle
  • 11
  • 2
  • My os: `Mac OSX 10.6.8`. Some further explantaion: 1) Go to wherever you downloaded `bashUpdateLion.dmg`, and double click on it. Then, right click on `bashUpdateLion.pkg` and choose `Open With>Other` and navigate to Macintosh HD>Developer>Applications>Utilities>PackageMaker, select it, then click the Open button. 3) After you Build and choose the name, you can either immediately open the installer (which wrongly(?) lists the original name).... – 7stud Jan 31 '15 at 22:12
  • ...or, you can close out PackageMaker (and don't save the changes), eject the volume(you'll see it open in Finder), navigate to your newly named .pkg file, and click on that (which also wrongly(?) lists the original name), and proceed with the install. – 7stud Jan 31 '15 at 22:13
  • After applying that update, my bash version, `$ bash --version`, changed from `GNU bash, version 3.2.48(1)-release (x86_64-apple-darwin10.0) Copyright (C) 2007 Free Software Foundation, Inc.` to `GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11) Copyright (C) 2007 Free Software Foundation, Inc.`. And after running the shellshock test: `$ curl https://shellshocker.net/shellshock_test.sh | bash`, I still had one vulnerability: `CVE-2014-7186 (redir_stack bug): VULNERABLE`, which can be tested in isolation like this... – 7stud Jan 31 '15 at 22:18
  • `$ bash -c 'true < – 7stud Jan 31 '15 at 22:19