Bash – OS X GNU Bash Installer OS X 10.5 – OS X 10.10

Bash – OS X GNU Bash Installer OS X 10.5 – OS X 10.10

os x yosemite, gatekeeper, bash logos

Overview


This is a OS X GNU Bash Installer for OS X 10.5 to OS X 10.10 that addresses the Bash vulnerability, also know as Shellshock. Since Apple has released security updates for OS X Lion (version 10.7), OS X Mountain Lion (version 10.8) and OS X Mavericks (version 10.9) and newer OS X operating systems include an updated Bash that isn’t vulnerable to this exploit. We recommend using this installer on older operating systems with the exploit like OS X 10.5 and OS X 10.6 if you can’t upgrade to newer operating system.

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on September 24th, 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

Apple, although notified of the vulnerability before it was made public, the company did not release a corresponding OS X update until September 29th 2014, at which time the OS X bash Update 1.0 was released. Updates are available for OS X Lion (version 10.7), OS X Mountain Lion (version 10.8) and OS X Mavericks (version 10.9) and newer OS X operating systems include an updated Bash that isn’t vulnerable to these exploit.

Before using this installer we recommend that you disable any services that might make you more susceptible to being exploited with these bash vulnerabilities.
This includes disabling SSH, Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid), and enabling software firewall.

OS X 10.9 - System Prefs - Sharing - Remote Login Off

OS X 10.9 - System Prefs - Security & Privacy - Firewall - On

We recommend you evaluate your risk to the bash vulnerabilities and consider installing Apple’s official “OS X bash Update” vs installing this custom GNU source update. If you are running an older versions of OS X like OS X 10.5 & OS X 10.6, evaluate your need to run that operating version and consider upgrading the operating system, if possible, to a newer version that has security updates that addresses the Bash exploit or newer operating systems that include the newer version of Bash.

Warning
We have tested this installer and bash versions on OS X 10.5 – 10.10 and have it in production on approximately 800 OS X 10.9.x computers, but this installer and software is supplied as is without expressed or implied warranties of any kind. We can’t guarantee it will work in all environments and strongly recommend thoroughly testing the installer & software before distributing it to multiple computers in your environment.

Installation


You can run this installer on OS X 10.5 “Leopard” thru OS X 10.10 “Yosemite”.

Introduction
After launching the installer you will see the “Introduction” dialog window:

Bash Installer - Introduction

Read Me
Then click the “Continue” button and next you will see the “Read Me” dialog window, which gives details about the installer, bash software & vulnerabilities, troubleshooting and support.

Bash Installer - Read Me

You can save the “Read Me” for future reference by clicking the “Save…” button.

Select a Destination
Next click the “Continue”button and you will see the following dialog window:

Bash Installer - Destination

This allows you to install on available volumes like a non-startup disk.

Installation Type
Next click the “Continue”button and you will see the following dialog window:

Bash Installer - Installation Type

Administrative Credentials
Then click the “Install” button, you will get prompted to enter an administrative username and password.

admin prompt

The reason you need administrative privileges is because this installer modifies and installs software in a location of the file system that is needs to be secure from standard users.

Summary
If installation was successful you will see the following dialog window:

Bash Installer - Summary

Auditing Installer

If you want detailed logs on installation, select the “Installer Log” command from the “Window” menu.

Installer Log

This will display details of installation, like “show errors”, “show errors and progress” and “show all logs”.

Installer Log Window

Or if you want to review the installation package before installing you can use a tool like Pacifist, which will let you review package contents…

Pacifist Window

and installer resources like preinstall and other scripts.

Pacifist Preinstall Selection

Pacifist Preinstall Script

What’s Installed?


The new bash software will be installed:

You can verify the installation by running the following command(s):

The installer will backup your current “bash” and “sh” files.

For example:

File Checksums


Checksums computed on the content of downloaded files are a way to verify that the content is authentic and has neither been altered by an unauthorized third party, nor been damaged during the transfer process across the Internet. Apple recommends the use of the so-called SHA1 standard (Secure Hash Algorithm Version 1).
For more information please also refer to Apple Support Article HT1652.

Here are the SHA1 checksums for the bash files:

  • OS X 10.5-10.10 – bash version 3.2.57

  • OS X 10.5-10.10 – sh version 3.2.57/li>

To verify the checksums, you will need to compile your own version of the bash files and then run the following commands:

Then compare your compiled checksum vs the installer checksum versions.

Here are the SHA1 checksum for the installer:

  • OS X 10.5-10.10 GNU Bash 3.2.57.pkg

If you want to check the checksum against your downloaded version.

Compiling Bash on OS X


To compile your own universal bash version that runs on 32/64-bit, PowerPC & Intel architectures, you will need to use a version of OS X & Xcode that supports these archectural flags. We are using Mac OS X 10.5 and Xcode 3.1.4 to compile a universal bash version.

Download Xcode
Download Xcode from Apple Developer site:
https://developer.apple.com

Download and unpack bash from Apple

Change directory to the downloaded Bash folder:

Download GNU Patch
Download the patch script from gnu.org, and apply it. These must start with 052 (the first listed here), and then apply subsequent patches sequentially, if available:

Go up one directory and then build the patched version:

Or use the Xcode GUI build option.

Verify Checksums
First, you need to output the checksum of your compiled bash and then compare against this installer’s files.
To output the checksum for for your files run the following commands:

Install Compiled Versions
If you want to install your compiled versions, do the following:

Backup current bash & sh files:

Replace with new bash & sh files:

Remove the execute bit on the backup versions:

Troubleshooting


If you have problems with this installer, you can downgrade your “bash” and “sh” files to the previous versions.

Follow these steps:

Replace with backup files:

Enable execute permissions:

Test restored files:

For example, you should see output like the following:

How to Distribute Installer/Software?


There are multiple options for distributing this installer and included software:

Manual
If you have few OS X computers, you can manually transfer and run the installer.

Apple Remote Desktop
If you have more than a few OS X computers and aren’t using a managed software distribution system (see below). You can use a remote management solution like Apple Remote Desktop with its “Install Packages” feature that would allow you to remotely and quickly run this install package.

ARD Install Package

The downside of using Apple Remote Desktop is that the OS X computers need to be online and if users are off-network, there might be conflicts with required open ports and off-network firewall/DMZ support and access.

Managed Software Distribution
There are many managed software distribution solutions available for OS X including commercial, free and open source. If you are looking to automate software distribution and have too many clients or are too busy and want to save time I would recommend investigating the solutions listed below:



If you have suggestions for other solutions to add to this list, please let us know.

History


  • GNU bash 3.2.57 Patch

A combination of nested command substitutions and function importing from the environment can cause bash to execute code appearing in the environment variable value following the function definition.

  • GNU bash 3.2.56 Patch

When bash is parsing a function definition that contains a here-document delimited by end-of-file (or end-of-string), it leaves the closing delimiter uninitialized. This can result in an invalid memory access when the parsed function is later copied.

  • GNU bash 3.2.55 Patch

There are two local buffer overflows in parse.y that can cause the shell to dump core when given many here-documents attached to a single command or many nested loops.

Updates


  • 2014.10.02

Initial installer release for GNU Bash 3.2.55 Patch

  • 2014.10.03

Installer updated with GNU Bash 3.2.56 Patch

  • 2014.10.06

Installer updated with GNU Bash 3.2.57 Patch

  • 2014.10.08

Modified package indentifier to a generic format “(i.e edu.lib.utah.pkg.OSX10.5-10.10GNUBash) & installer version will match GNU Bash version (i.e. 3.2.57) will be for better compatibility with enterprise management software like autopkg, Absolute Manage, Casper Suite, Filewave, munki, etc.

  • 2014.10.08

Installer Package Signed for better compatibility with OS X Gatekeeper feature on Mac OS X 10.7.5 “Lion” or higher.

  • 2014.10.08

Minor corrections & updates to installer readme.

Know Issues


Can’t Run Installer via Network Volume
Currently, you can’t run the installer directly from a network volume. You will get the following error.

Error Running Installer from Network Volume

This is a limitation/feature of the Apple Installer.app, a workaround is copying the package to a local volume and try installing again.

Download


Use the link below to download the installer for OS X GNU Universal Bash version 3.2.57.

http://www.mac-mgrs.utah.edu/downloads/osx_gnu_bash_installer.zip

No Comments

Leave a Reply