apple

Fix for Shell Shock on OS X 10.5 Leopard

The Shell Shock bash vulnerability that has been doing the rounds lately will never be patched on OS X Leopard as it is simply too old. Luckily Matt White has posted a fix for Debian Lenny and as Leopard and Lenny use the same version of Bash (3.2) the same fix can be applied. I've tweaked his update script for Os X (as by default there is no "wget" or "seq" (sequence) so simply download it from here, mark it executable (chmod +x) and run it to upgrade the version installed to 3.2.54 which includes the needed patch. Your old version will be saved as /bin/bash.broken and the new version will be installed into /usr/local/bin/bash and a symlink created from /bin/bash to it Updated: The script now simply overwrites the old version as having it hanging around could be considered dangerous. If you want to keep a copy then you'll need to manually copy it somewhere safe (eg /var/root/). The script also now removes /bin/sh and creates a symlink to /bin/bash. Once installed simply log out and back in again and you'll be using the new version, and any CGI-BIN scripts you use will also be safe (well, at least from that bug!).

Happy patching and let's hope that it is a long time before a vulnerability like that crops up again.

UPDATE: A few people have asked if they can have a copy of the binary as they don't have the build tools installed. The latest version can be downloaded from here (PPC ONLY! I don't have an Intel install of 10.5 sorry), once downloaded you'll need to mark it executable and copy it to /bin/bash

UPDATE 2: I've just had pointed out to me that /bin/sh on Leopard is actually a copy of /bin/bash, not a symlink so calling /bin/sh will still leave your system vulnerable. To get around this either copy /bin/bash to /bin/sh or better yet symlink /bin/bash to /bin/sh so updates to bash will also result in /bin/sh being updated. Finally, I've changed the script to simply replace /bin/bash rather than install into /usr/local/bin/bash and symlink.

UPDATE 3: And another patch is out - binary has been updated and is available here or for those with the build tools installed you can compile from source using this script. Hopefully this is the last for a while as it addresses all currently outstanding CVEs.

---

• blog
• linux
• apple
• windows
• mobile
• contact me

• Howtos:

• xserve g5
• PowerBook

• Archive

• September 2022 (1)
• December 2020 (1)
• December 2014 (1)
• September 2014 (2)
• September 2013 (1)
• July 2013 (3)
• March 2013 (1)
• November 2012 (2)
• October 2012 (3)
• September 2012 (1)
• July 2012 (1)
• June 2012 (1)
• March 2012 (1)
• February 2012 (1)
• September 2011 (1)
• August 2011 (1)
• March 2011 (1)
• February 2011 (1)
• January 2011 (1)
• November 2010 (1)

Copyright © 2022 Andrew Holmes. Powered by BlazeBlogger running on Hiawatha. Huzzah!