Shell Shock OS X Bash Update Installer for Snow Leopard

So it seems that according to Tim, my white iMacs running Snow Leopard don’t deserve a fix for the shellshock bugs in their bash shells. I’d rather buy new iMacs, in his opinion. Well, I can’t do it just yet, I’m sorry. Instead I’ve opened the bashUpdateLion.pkg in PackageMaker and retouched the JavaScript file that checks the system versions. Now it doesn’t check anything anymore, it simply says “ok, fine, go ahead” 🙂

Here’s for the crazy ones, the misfits, the trouble makers, the round pegs in the square holes. The ones who see things differently:

The Missing Bash Update Installer For Snow Leopard:

bashUpdateSnowLeopard.pkg.zip

bashUpdateSnowLeopard.pkg

If it works for you, don’t hesitate to donate via paypal to jorgechamorro@mac.com , and leave a comment here. Thank you!

Donate Button

Edit 1:

If you prefer to do it yourself: once opened in PackageMaker, goto project/raw editing mode and modify the functions “InstallationCheck” and “VolumeCheck” in the “Distribution” file to look like this:

ScreenShot2

Then hit “build” and choose a name for the installer package. That’s all folks.

Edit 2:

For the do-it-yourself-ers:

PackageMaker can be downloaded here: https://developer.apple.com/downloads/index.action?name=packagemaker

bashUpdateLion.pkg can be downloaded here: http://support.apple.com/kb/DL1767

Advertisements

17 thoughts on “Shell Shock OS X Bash Update Installer for Snow Leopard

  1. Pingback: ShellShock love for OS X - shawnkdev.ch

  2. John French

    Easy as pie! Thanks for the Bash Update Installer for Snow Leopard. Sent you a token via PayPal, which turned out to be the hardest part of the whole process. For the ease of those who follow me, I suggest you add a PayPal payment link on the web page. Might get a few extra coins that way. 🙂

    Reply
    1. hacksagogo Post author

      My gut feeling is that it won’t work, and it’s not even a good idea to try. I guess that most Macs running 10.5 are very likely PowerPCs: it won’t work at all in a PowerPC because the /bin/bash executable in the installer has been compiled for Intel.

      Reply
  3. Keith Rettig

    I tried to use this on my 10.5.8 machine. It successfully ran through its process. When I went to confirm through Terminal, I got the following:
    login: /bin/bash: Bad CPU type in executable
    Conveniently, I don’t do anything on this machine that uses the Terminal, so I am actually OK with it simply being broken (and presumably not vulnerable as a result). Any ideas as to why I am getting that response on opening Terminal? See any problem with it?

    PS. Work perfectly on my 10.6.8 machine.

    Reply
    1. hacksagogo Post author

      I think that that was not a good idea 🙂 If I were you I’d try to restore /bin/bash and /bin/sh with the time machine. There are lots of things that may break without a proper /bin/bash…

      Reply
  4. Boris Starosta

    Hi Hacksagogo, I ran the installer you’ve made on my iMac running 10.6.8, and did the logout/login required. Then I poked around the web for a way to test the result. First I used a test found here: , but with an inconclusive result:

    Snow:~ mymac$ env x='() { :;}; echo vulnerable’ bash -c ‘echo hello’
    hello

    Dissatisfied, I looked further. On the page detailing bash fix for PowerPC macs (which I need to pursue next anyway, as I run several of those also with OSX 10.4.11, and one with OSX 10.5.?) I found separate tests for four vulnerabilities. Three of the tests were passed by my intel machine, but the fourth test is inconclusive to me, showing a result with the word “vulnerable” but otherwise unlike what web page instructions show:

    Snow:~ mymac$ bash –version
    GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)
    Copyright (C) 2007 Free Software Foundation, Inc.
    Snow:~ mymac$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
    this is a test
    Snow:~ mymac$ env X='() { (a)=>\’ sh -c “echo date”; cat echo
    date
    cat: echo: No such file or directory
    Snow:~ mymac$ env foo='() { echo not patched; }’ bash -c foo
    bash: foo: command not found
    Snow:~ mymac$ bash -c ‘true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "vulnerable"
    Segmentation fault
    vulnerable

    Would appreciate your comment on the above, and/or your own recommended tests. Again, the tests above are from a page for PowerPC bash shell updating. I assume the shell tests should be no different on intel machines, but I might be wrong.

    I will donate to you shortly, thanks for the resource!

    Reply
    1. hacksagogo Post author

      Hi Boris,

      I’m afraid I’m not an expert in security… but based on what I see in the shellshock wikipedia page it seems that:

      CVE-2014-6271 is fixed:
      unibody:~ jorge$ env X='() { :;} ; echo CVE-2014-6271 VULNERABLE’ bash -c ‘echo DONE’
      DONE

      CVE-2014-7169 is fixed:
      unibody:~ jorge$ X='() { (a)=>\’ bash -c “echo date”
      date
      unibody:~ jorge$ cat echo
      cat: echo: No such file or directory

      CVE-2014-7186 Is NOT fixed:
      unibody:~ jorge$ bash -c ‘true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"
      Segmentation fault
      CVE-2014-7186 vulnerable, redir_stack

      CVE-2014-7187 **appears** to be fixed:
      unibody:~ jorge$ (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"
      unibody:~ jorge$

      CVE-2014-6277 and CVE-2014-6278: I don't know how to check these.

      But the wikipedia page says "Apple Inc. commented that […] Although notified of the vulnerability before it was made public, the company did not release a corresponding OS X update until 29 September, which, even then, did not fix all known vulnerabilities.", so it seems that Apple have yet to release further bugfixes soon.

      I've received your donation 🙂 Thank you!

      Reply
  5. retroformat

    I forgot to give the URL of the page that I referenced, detailing updating bash via terminal on PPC macs, for OSX 10.4 through 10.5 (and actually higher OSX also):

    http://tenfourfox.blogspot.com/2014/09/bashing-bash-one-more-time-updated.html

    This page has links to an updated bash source (4.3.28-10.4u), gives direction on how to use terminal to test your existing bash, how to preserve it (moving it to a new directory), and how to install the new version, then test the result. (i.e. it gives you the unix commands to do all this – I’m a unix noob).

    I’ve now used terminal to update my iMac G4, iBook G4, quicksilver G4 running OSX 10.4 and 10.5 with good results (if the tests are to be believed).

    thanks!

    Reply
  6. Scott

    Thank you, thank you, thank you!!!! I’d done the TenFourFox method initially and all was looking well, but after a few days realized I’d hosed an app I rely on not every day, but often. Your .pkg cleared it right back up.

    Reply
  7. Rachel R. (@REReader)

    Thanks, this worked just fine. I first had to do a clean reinstall of Snow Leopard, but that was because of something corrupted in the system, not because of the patch! Once I did that, this worked, nothing else seems damaged (crosses fingers) and I am so glad not to have to manually patch the thing.

    Reply
  8. Frank Shunkan

    I was trying to do a similar thing with RAWCameraUpdate4, since that won’t install under Snow Leopard. Since I am not familiar with PackageMaker in particular and coding in general I couldn’t get it to work.
    Do you have an idea or could you help? Cheers.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s