04 Dec Bash – OS X GNU Bash Installer OS X 10.5 – OS X 10.10
This is a OS X GNU Bash Installer for OS X 10.5 to OS X 10.10 that addresses the Bash vulnerability, also know as Shellshock. Since Apple has released security updates for OS X Lion (version 10.7), OS X Mountain Lion (version 10.8) and OS X Mavericks (version 10.9) and newer OS X operating systems include an updated Bash that isn’t vulnerable to this exploit. We recommend using this installer on older operating systems with the exploit like OS X 10.5 and OS X 10.6 if you can’t upgrade to newer operating system.
Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on September 24th, 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
Apple, although notified of the vulnerability before it was made public, the company did not release a corresponding OS X update until September 29th 2014, at which time the OS X bash Update 1.0 was released. Updates are available for OS X Lion (version 10.7), OS X Mountain Lion (version 10.8) and OS X Mavericks (version 10.9) and newer OS X operating systems include an updated Bash that isn’t vulnerable to these exploit.
Before using this installer we recommend that you disable any services that might make you more susceptible to being exploited with these bash vulnerabilities.
This includes disabling SSH, Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid), and enabling software firewall.
We recommend you evaluate your risk to the bash vulnerabilities and consider installing Apple’s official “OS X bash Update” vs installing this custom GNU source update. If you are running an older versions of OS X like OS X 10.5 & OS X 10.6, evaluate your need to run that operating version and consider upgrading the operating system, if possible, to a newer version that has security updates that addresses the Bash exploit or newer operating systems that include the newer version of Bash.
We have tested this installer and bash versions on OS X 10.5 – 10.10 and have it in production on approximately 800 OS X 10.9.x computers, but this installer and software is supplied as is without expressed or implied warranties of any kind. We can’t guarantee it will work in all environments and strongly recommend thoroughly testing the installer & software before distributing it to multiple computers in your environment.
You can run this installer on OS X 10.5 “Leopard” thru OS X 10.10 “Yosemite”.
After launching the installer you will see the “Introduction” dialog window:
Then click the “Continue” button and next you will see the “Read Me” dialog window, which gives details about the installer, bash software & vulnerabilities, troubleshooting and support.
You can save the “Read Me” for future reference by clicking the “Save…” button.
Select a Destination
Next click the “Continue”button and you will see the following dialog window:
This allows you to install on available volumes like a non-startup disk.
Next click the “Continue”button and you will see the following dialog window:
Then click the “Install” button, you will get prompted to enter an administrative username and password.
The reason you need administrative privileges is because this installer modifies and installs software in a location of the file system that is needs to be secure from standard users.
If installation was successful you will see the following dialog window:
If you want detailed logs on installation, select the “Installer Log” command from the “Window” menu.
This will display details of installation, like “show errors”, “show errors and progress” and “show all logs”.
Or if you want to review the installation package before installing you can use a tool like Pacifist, which will let you review package contents…
and installer resources like preinstall and other scripts.
The new bash software will be installed:
ls -al /bin/bash /bin/sh -r-xr-xr-x 1 root wheel 3852304 Oct 3 10:32 /bin/bash -r-xr-xr-x 1 root wheel 3848064 Oct 3 10:31 /bin/sh
You can verify the installation by running the following command(s):
# /bin/bash --version GNU bash, version 3.2.56(1)-release (x86_64-apple-darwin9) Copyright (C) 2007 Free Software Foundation, Inc.
# /bin/sh --version GNU bash, version 3.2.56(1)-release (x86_64-apple-darwin9) Copyright (C) 2007 Free Software Foundation, Inc.
The installer will backup your current “bash” and “sh” files.
# ls -al /bin/*.old.* -r--r--r-- 1 root wheel 3852328 Oct 3 13:54 /bin/bash.old.3.2.55 -r--r--r-- 1 root wheel 3852184 Oct 3 13:54 /bin/sh.old.3.2.55
Checksums computed on the content of downloaded files are a way to verify that the content is authentic and has neither been altered by an unauthorized third party, nor been damaged during the transfer process across the Internet. Apple recommends the use of the so-called SHA1 standard (Secure Hash Algorithm Version 1).
For more information please also refer to Apple Support Article HT1652.
Here are the SHA1 checksums for the bash files:
- OS X 10.5-10.10 – bash version 3.2.57
- OS X 10.5-10.10 – sh version 3.2.57/li>
To verify the checksums, you will need to compile your own version of the bash files and then run the following commands:
shasum -a 256 /path/to/bash shasum -a 256 /path/to/sh
Then compare your compiled checksum vs the installer checksum versions.
Here are the SHA1 checksum for the installer:
- OS X 10.5-10.10 GNU Bash 3.2.57.pkg
If you want to check the checksum against your downloaded version.
Compiling Bash on OS X
To compile your own universal bash version that runs on 32/64-bit, PowerPC & Intel architectures, you will need to use a version of OS X & Xcode that supports these archectural flags. We are using Mac OS X 10.5 and Xcode 3.1.4 to compile a universal bash version.
Download Xcode from Apple Developer site:
Download and unpack bash from Apple
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
Change directory to the downloaded Bash folder:
Download GNU Patch
Download the patch script from gnu.org, and apply it. These must start with 052 (the first listed here), and then apply subsequent patches sequentially, if available:
curl http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0 curl http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0 curl http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0 curl http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-055 | patch -p0 Set Architectures to "32/64-bit Universal"
Go up one directory and then build the patched version:
cd .. xcodebuild
Or use the Xcode GUI build option.
First, you need to output the checksum of your compiled bash and then compare against this installer’s files.
To output the checksum for for your files run the following commands:
shasum -a 256 /path/to/build/Release/bash shasum -a 256 /path/to/build/Release/sh
Install Compiled Versions
If you want to install your compiled versions, do the following:
Backup current bash & sh files:
sudo cp /bin/bash /bin/bash.bak sudo cp /bin/sh /bin/sh.bak
Replace with new bash & sh files:
sudo cp /path/to/compiled/build/bash /bin sudo cp /path/to/compiled/build/sh /bin
Remove the execute bit on the backup versions:
sudo chmod a-x /bin/bash.bak /bin/sh.bak
If you have problems with this installer, you can downgrade your “bash” and “sh” files to the previous versions.
Follow these steps:
Replace with backup files:
sudo cp /bin/bash.old.[version] /bin/bash sudo cp /bin/sh.old.[version] /bin/sh
Enable execute permissions:
sudo chmod a-x /bin/bash sudo chmod a-x /bin/sh
Test restored files:
/bin/bash --version /bin/sh --version
For example, you should see output like the following:
$ /bin/bash --version GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc.
How to Distribute Installer/Software?
There are multiple options for distributing this installer and included software:
If you have few OS X computers, you can manually transfer and run the installer.
Apple Remote Desktop
If you have more than a few OS X computers and aren’t using a managed software distribution system (see below). You can use a remote management solution like Apple Remote Desktop with its “Install Packages” feature that would allow you to remotely and quickly run this install package.
The downside of using Apple Remote Desktop is that the OS X computers need to be online and if users are off-network, there might be conflicts with required open ports and off-network firewall/DMZ support and access.
Managed Software Distribution
There are many managed software distribution solutions available for OS X including commercial, free and open source. If you are looking to automate software distribution and have too many clients or are too busy and want to save time I would recommend investigating the solutions listed below:
- Absolute Manage <http://www.absolute.com> (Commercial)
- Apple Remote Desktop <https://www.apple.com/remotedesktop/> (Commercial)
- Casper Suite <http://www.jamfsoftware.com/products/casper-suite/> (Commercial)
- DeployStudio <http://www.deploystudio.com/Home.html> (Free)
- FileWave <http://www.filewave.com> (Commercial)
- Kace <http://www.kace.com> (Commercial)
- Munki <https://github.com/munki/munki> (Open Source)
- Puppet <http://puppetlabs.com> (Commercial/Open Source)
- Radmind <http://rsug.itd.umich.edu/software/radmind/> (Open Source)
- System Center Configuration Manager [SCCM] <http://www.microsoft.com/systemcenter> (Commercial)
If you have suggestions for other solutions to add to this list, please let us know.
- GNU bash 3.2.57 Patch
A combination of nested command substitutions and function importing from the environment can cause bash to execute code appearing in the environment variable value following the function definition.
- GNU bash 3.2.56 Patch
When bash is parsing a function definition that contains a here-document delimited by end-of-file (or end-of-string), it leaves the closing delimiter uninitialized. This can result in an invalid memory access when the parsed function is later copied.
- GNU bash 3.2.55 Patch
There are two local buffer overflows in parse.y that can cause the shell to dump core when given many here-documents attached to a single command or many nested loops.
Initial installer release for GNU Bash 3.2.55 Patch
Installer updated with GNU Bash 3.2.56 Patch
Installer updated with GNU Bash 3.2.57 Patch
Modified package indentifier to a generic format “(i.e edu.lib.utah.pkg.OSX10.5-10.10GNUBash) & installer version will match GNU Bash version (i.e. 3.2.57) will be for better compatibility with enterprise management software like autopkg, Absolute Manage, Casper Suite, Filewave, munki, etc.
Installer Package Signed for better compatibility with OS X Gatekeeper feature on Mac OS X 10.7.5 “Lion” or higher.
Minor corrections & updates to installer readme.
Can’t Run Installer via Network Volume
Currently, you can’t run the installer directly from a network volume. You will get the following error.
This is a limitation/feature of the Apple Installer.app, a workaround is copying the package to a local volume and try installing again.
Use the link below to download the installer for OS X GNU Universal Bash version 3.2.57.