我希望根据最近发生的bash错误更新我的Mac OS X Snow Leopard(10.6.8)中的Bash(和Sh)程序 - Shellshock。我故意使用10.6.8,所以我现在不想更新到OS X的新版本。
我已经阅读了这个Q& A - How do I upgrade Bash in Mac OSX Mountain Lion and set it the correct path?但它对我不起作用,因为我没有安装[home?] brew(或Xcode,或任何编译器等) 。我刚刚开始在Max OS X平台上进行编程。
顺便说一下,当我在终端输入brew update时,我得到了这个输出:
[489]$ brew update
-bash: brew: command not found
那么,我需要做些什么步骤(从头开始)才能为OS X 10.6.8安装 bash 的修复版本?
是吗:
或者,因为我使用的是OS X 10.6.8,我是否需要从某个地方下载Bash代码并使用XCode 3.2.6(如果我付了代价就编译4.2)并手动替换/ bin / bash和/ bin / sh files?
就像我说的,我是Mac上的新手,但我确实有[过时的]编程经验。
感谢。
答案 0 :(得分:2)
Homebrew是Mac的软件包管理系统。很多人用它来管理mysql,python和(正如你猜测的那样)bash。 Homebrew所做的只是安装这些软件包并使其可供用户使用。虽然有些人做使用它来进行bash,但使用Homebrew更新bash并不能保护他们的整个系统免受shellshock(我的团队今天测试和识别)。
我建议你做的是下载适用于你的OS X版本的XCode,下载xcode命令行实用程序(转到首选项 - > downloads - >命令行实用程序),然后运行我编写的这个脚本。为了清楚起见,这个脚本只是关注the same steps outlined here,我只是让开发团队更容易更新。
您可以将此代码复制到可执行的bash脚本中,然后使用./bash-fixer.sh
运行它#!/bin/bash
# In all good conscience, I can not guarantee anything in this script.
# I've tested it to the best of my ability, but please use at your own risk
if [ "$EUID" -eq 0 ]; then
echo "DO NOT RUN AS SUDO! Running as sudo will break the world and will make your computer very unhappy."
echo "There are commands later that are appropriately sudo'd."
exit 1
fi
xcode-select --version
if [[ $? != 0 ]] ; then
echo "You need to install the xcode stuff that makes magic. Let's try that together"
xcode-select --install || echo "Something broke. Try running \"xcode-select --install\" manually" && exit 1
fi
cd ~/
test=$( env x='() { :;}; echo vulnerable' bash -c 'echo hello' | wc -l )
if [[ ${test} -lt 2 ]]; then
echo "Your version of bash is up to date"
else
mkdir -p bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
for i in $(seq -f "%03g" 52 54); do
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-$i | patch -p0
done
cd ..
xcodebuild
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
echo
echo
echo "Current version of bash is $(build/Release/bash --version | head -1 | awk -F "version " '{ print $2 }')"
echo "Current version of sh is $(build/Release/sh --version | head -1 | awk -F "version " '{ print $2 }' )"
if [[ $(build/Release/bash --version) =~ "3.2.54(1)-release" && $(build/Release/sh --version) =~ "3.2.54(1)-release" ]]; then
echo "So far so good. Let's do some more checks, because we like dilligence"
else
echo "The bash and shell versions are not showing up as being the most recent. Something is afoot!"
exit 1
fi
if [[ "${test}" < 2 ]]; then
echo "Your version of bash is up to date"
exit 0
else
echo "Something went horribly wrong!"
exit 1
fi
echo "Awesome. All checks have passed. Cleaning up, and removing executable privaleges from the old bash and sh, just in case"
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin
sudo chmod a-x /bin/bash.old /bin/sh.old
fi
让我知道你是如何做出来的,祝你好运!
答案 1 :(得分:2)
您也可以使用全终端风格(提供Lion更新包):
# pkgutil --expand ~/BashUpdateLion.pkg ~/BashUpdate
# vi ~/BashUpdate/Distribution
编辑 InstallationCheck 和 VolumeCheck 函数,如下所示:
function InstallationCheck(prefix) {
return true;
}
function VolumeCheck(prefix) {
return true;
}
最后再将其展平为可安装的包装
# pkgutil --flatten ~/BashUpdate ~/Desktop/BashUpdateModified.pkg
答案 2 :(得分:1)
请注意,Apple在2014-09-29发布了一套官方补丁版本的Bash。然而,这种支持只能追溯到Lion,而不是回到Snow Leopard。因此,您仍然无法在Snow Leopard上构建和安装自己的修补版本。
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-09-29-1 OS X bash Update 1.0
OS X bash Update 1.0 is now available and addresses the following:
Bash
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,
OS X Mavericks v10.9.5
Impact: In certain configurations, a remote attacker may be able to execute arbitrary
shell commands
Description: An issue existed in Bash's parsing of environment variables. This issue was
addressed through improved environment variable parsing by better detecting the end of
the function statement.
This update also incorporated the suggested CVE-2014-7169 change, which resets the
parser state.
In addition, this update added a new namespace for exported functions by creating a
function decorator to prevent unintended header passthrough to Bash. The names of all
environment variables that introduce function definitions are required to have a
prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via
HTTP headers.
CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy
OS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X Mavericks
To check that bash has been updated:
* Open Terminal
* Execute this command:
bash --version
* The version after applying this update will be:
OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQIcBAEBAgAGBQJUKdToAAoJEBcWfLTuOo7t4QEP/jrigiLB9GYO5JIdVHSFPUtx
MBr4hAe90LnyAIuhxny1PgAC8BZCPv4otm6DQBQSlX1PxLv8TWm8yp5IKCKJP6ZN
Smm+OqJLLWwcTOVv345bi5W9dp2nyZVLjWxx9MUfn4YLxKrBJ3fKyHWIycD0WpbD
4kfXW1G1JGTtyUX6Ge2lnhbOiYBPxJN2TSX4qEmix3KLmEwCwsZVgbjzW2ijNO0O
3AaUkFIICAECMCE+VZj/fGFQaEmYaPzpt3Tjy+X2NdXL8E0hnui4ymfU0DyR39Oz
8DQpP499hISeXucdAEH6b2mMO2pOmuDs6FWTSS6talT8ftLUpTmWqv2Rghto5ZXN
b8RZpOp9RUwurZPMq66BjbHfidEaLjMPCVcfAnjO6HwBaKGQ5kM5+ThPA5/DLSL6
gGPa4t3qM/JdQAzm8da9m62vjWZ1BXzIlLSmxpIq/5bDMpBNiA783f+uuDUjpQ/N
3SkKNn2U47VsCLYaoSSmL6FUBLsInnNvwkVyNsnMiEjMVn/BtV5ogAYAc8SSvGM7
Mlx9OBKYork0bNuViPK09j/8te74tt6t38B+0lb4mG5m1r2CyI96f2uVBpKkqDlj
K6INwsDZKqtg1Y+6xtnJb9F3ZNZarzSxZa2C8qKaVCH11vLaXVPJJCrYspWnV8yI
DrlKtF9VhcfUGTKJiRNX
=ZVVk
-----END PGP SIGNATURE——
答案 3 :(得分:1)
http://hacksagogo.wordpress.com/2014/10/02/shell-shock-os-x-bash-update-installer-for-snow-leopard/
这是疯狂的,不合适的,麻烦制造者,方孔中的圆钉。那些以不同方式看待事物......并且仍在运行Snow Leopard的人。
1.-在PackageMaker中打开bashUpdateLion.pkg
2.-转到项目/原始编辑模式并修改“Distribution”文件中的“InstallationCheck”和“VolumeCheck”功能,如下所示:
function InstallationCheck(prefix) {
return true; }
function VolumeCheck(prefix) {
return true; }
3.-点击“build”并选择安装程序包的名称。
那是所有人。