tag:blogger.com,1999:blog-1015214236289077798.post7559324209384900056..comments2024-02-17T13:08:33.203-08:00Comments on TenFourFox Development: Bashing bash one more time: updated universal 4.3.30 covering all known bash flawsClassicHasClasshttp://www.blogger.com/profile/17331846076856918359noreply@blogger.comBlogger102125tag:blogger.com,1999:blog-1015214236289077798.post-42070411679933411172014-11-04T16:59:46.967-08:002014-11-04T16:59:46.967-08:00I never saw your other reply. If you are getting t...I never saw your other reply. If you are getting the same message as David Ubogy above, however, then the same steps should work.<br /><br />However, this post is now almost a month and a half old -- I can't monitor old threads forever, and this was always provided without any warranty or guarantee of support. So that others don't come here looking for rescue, I will close comments on this post. If you are not comfortable with the commands above, or do not feel you could rescue yourself if something goes wrong, you shouldn't do this.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-85156432497640964772014-11-04T08:40:58.887-08:002014-11-04T08:40:58.887-08:00What happened to my question (and explanation) abo...What happened to my question (and explanation) about a serious problem with Terminal after making a mistake doing this bash fix? Posts are supposed to get moderated now before going online, but I posted several days ago, and it still is not moderated and online. Do I need to write and post all over again? Terminal no longer will work, won't let me type anything into it -- if I can fix that, I think I can then fix the mistake I made.me2u1004https://www.blogger.com/profile/01766939954567799686noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-47117089492530540512014-10-09T20:53:03.192-07:002014-10-09T20:53:03.192-07:00I don't want to stray from this page's top...I don't want to stray from this page's topic, so real fast, to clarify for you: You can still drag and drop in Safari 5.0.6. You simply can't do it directly to the compose window, you have to use the photo-insert button at the bottom of the compose window and drag into the window that opens -- an extra step.me2u1004https://www.blogger.com/profile/01766939954567799686noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-25819077895915761072014-10-09T06:10:47.551-07:002014-10-09T06:10:47.551-07:00You mean the second one, which is CVE-2014-6277, a...You mean the second one, which is CVE-2014-6277, and you actually tested something else. I asked for a test case to trigger -6277 in .28 (see comments above) because I couldn't find one. This one does work. The reason your build passes is because you have the equivalent patches to .29 and .30. Now that I have a test case, we'll proceed to .30.<br /><br />If you can compile your own, that is obviously preferable.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-45281720489301608402014-10-08T23:43:40.703-07:002014-10-08T23:43:40.703-07:00First, huge fan. I love that TenFourFox continues ...First, huge fan. I love that TenFourFox continues to be updated and I greatly appreciate all the time and effort Cameron puts into keeping older version of OS X relevant and usable.<br /><br />Now, a possible bug in bash-4.3.28-10.4u …<br /><br />When I ran this bash vulnerability tester script (note, people in the future: someone else may eventually own this domain, so use with caution)…<br /><br />curl https://shellshocker.net/shellshock_test.sh | bash<br /><br />…it said that the first one (CVE-6277) was still exploitable on my 10.6.8 machine. Is their test incorrect?<br /><br />Incidentally, when I compile and install my own based on Apple's 3.2 source and patches 52 through 57, I get a "not vulnerable" report for all 6 of the vulnerabilities for which this script currently tests.Josh Longhttps://www.blogger.com/profile/03511083686180216122noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-19226566240665639332014-10-08T16:06:49.922-07:002014-10-08T16:06:49.922-07:00Here’s for the crazy ones, the misfits, the troubl...Here’s for the crazy ones, the misfits, the trouble makers, the round pegs in the square holes. The ones who see things differently:<br /><br />The Missing Bash Update Installer For Snow Leopard<br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-83609389612654037212014-10-08T00:46:32.986-07:002014-10-08T00:46:32.986-07:00Ok, confiming that you now need Safari 6 or higher...Ok, confiming that you now need Safari 6 or higher to drag’n’drop photos to Safari gmail, which in turn demands 10.7.5.<br /><br />You’re right: Has everything to do with gmail dropping support for Safari 5.x.x, and nothing to do with the patch. Also, my G5 sure boots 10.5.8, not 10.6.8 as I incorrectly wrote.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-53606223263750577412014-10-07T13:12:56.979-07:002014-10-07T13:12:56.979-07:00The differences between 3.2 and 4.3 are primarily ...The differences between 3.2 and 4.3 are primarily enhanced scripting capabilities, but there are some bug fixes which the 3.2 patches do not cover; see http://wiki.bash-hackers.org/bash4<br /><br />That said, on my one and only 10.9 system, I am using the Apple bash, though partially for reasons of comparison.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-41563144931639608202014-10-07T13:09:57.919-07:002014-10-07T13:09:57.919-07:00That seems a more likely explanation, especially s...That seems a more likely explanation, especially since Google has done such things before without warning.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-46432092961264915722014-10-07T12:34:16.490-07:002014-10-07T12:34:16.490-07:00That wasn;t beeing short; that's theinformatio...That wasn;t beeing short; that's theinformation Ineeeded toknow.<br /><br />I just deinstalled the replacement bash and reinstalled the original (and tested, to make sure original was in place, and yes, it failed the tests, so it was the original). <br /><br />After doing so, the problem with Gmail insertions into the compose window remains. So, the issue is not the new bash. (I think Gmail happened to do something right about the time I replaced the bash that served to stop that function in my Safari 5.0.6, on a G4 PPC Mac running OS X 10.5.8 Leopard.) Well, it just occurred to me that I did not do a restart before testing Gmail. Dang!me2u1004https://www.blogger.com/profile/01766939954567799686noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-56726519080791458022014-10-07T11:02:45.962-07:002014-10-07T11:02:45.962-07:00Any opinions about whether to use this binary or t...Any opinions about whether to use this binary or the Apple-supplied binaries for 10.7-10.9 machines? Yes, I have a preference for the Apple-supported product, but 3.2.53 seems pretty far behind...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-36649002277569791312014-10-07T10:57:14.417-07:002014-10-07T10:57:14.417-07:00In case this is really a problem with the new vers...In case this is really a problem with the new version of bash and someone else is having it, I have gone crash-free since Sunday night. When I move the computer -- i.e. I put it to sleep and pack it up and take it somewhere so it's unplugged -- I select "Sleep" from the apple-menu rather than just closing the lid. The main problem is not forgetting! <br /><br />I suspect that there is some complex interaction between what apps I'm running, and whatever process runs differently with a lid-close sleep rather than a menu-selected sleep with the new version of bash. I'd much rather have to remember to use the menu to put it to sleep than risk the older version...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-87374043712375991082014-10-07T06:28:01.952-07:002014-10-07T06:28:01.952-07:00Your point is well taken, and was already suggeste...Your point is well taken, and was already suggested at least once, but given the number of people who made an error during install it seems prudent to consider that recommendation at a later step so that the Finder can rescue them.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-77841156563288696102014-10-07T06:26:02.156-07:002014-10-07T06:26:02.156-07:00I don't mean to be short with you, but Safari ...I don't mean to be short with you, but Safari doesn't even call bash or any shell. How about reverting and seeing if it makes any difference first?<br /><br />Also, 10.6.8 doesn't run on G5.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-85219356550698037282014-10-07T02:41:10.998-07:002014-10-07T02:41:10.998-07:00I hereby confirm that drag’n’drop pictures into sa...I hereby confirm that drag’n’drop pictures into safari gmail no longer works, neither on 10.6.8 G5, nor 10.6.8 Intel 32 after applying the patch. Any fixxx but reverting?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-12606404750520090902014-10-06T23:38:42.767-07:002014-10-06T23:38:42.767-07:00Thank you so much for documenting this and making ...Thank you so much for documenting this and making the binary available. One suggestion though: your instruction to make a copy of the unpatched binary as /bin/bash_old and /bin/sh_old leaves a vulnerability, as an attacker can try to execute that old binary. It would probably be best to add sudo chmod -x /bin/bash_old and sudo chmod -x /bin/sh_old commands so that the copies can't be executed.rlpvlhttps://www.blogger.com/profile/05846811606946558255noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-17801470260722850202014-10-06T19:49:27.536-07:002014-10-06T19:49:27.536-07:00Yes, I'm aware. It's not clear that either...Yes, I'm aware. It's not clear that either patch addresses something not addressed by the previous ones (if you think otherwise, please demonstrate a test case that works against 4.3.28). I'm taking a wait-and-see approach as described above. Eventually I will incorporate them, but I think there are more patches to come.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-60714980128058147442014-10-06T18:04:52.234-07:002014-10-06T18:04:52.234-07:00Thanks heaps for this!
Looks like there are some ...Thanks heaps for this!<br /><br />Looks like there are some vulnerabilities fixed in patches 29 & 30:<br /><br />29: "When bash is parsing a function definition that contains a here-document delimited by end-of-file (or end-of-string), it leaves the closing delimiter uninitialized. This can result in an invalid memory access when the parsed function is later copied."<br /><br />30: A combination of nested command substitutions and function importing from the environment can cause bash to execute code appearing in the environment variable value following the function definition.James Brownhttps://www.blogger.com/profile/09855021655073358667noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-26891282939269841192014-10-06T08:28:57.368-07:002014-10-06T08:28:57.368-07:00Just to ask, while I doubt this bash fix has anyth...Just to ask, while I doubt this bash fix has anything to do with it, but I must ask to be sure: <br /><br />After doing the bash fix, the next time I tried to drag and drop a photo directly into my Gmail compose window, that function would no longer work -- it would not insert. That is, when using Safari 5.0.8 on PPC G4 running OS 10.5.8. The function had still worked at least shortly before doing the bash fix. <br /><br />I don't know that the bash fix is the least bit related, but since that is what I did on my side, I have to ask if anyone else lost that function in Gmail running from Safari 5 after doing the bash fix. I note, I can still drag and drop directly into the compose window in Gmail if I instead use TenFourFox 31.1.1. (I much prefer Safari because it is faster, especially when I try to open my Bookmarks list.)me2u1004https://www.blogger.com/profile/01766939954567799686noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-80724760533865102312014-10-06T08:19:49.652-07:002014-10-06T08:19:49.652-07:00OK, thanks. Since I'm talking of a 10.5.8 PPC ...OK, thanks. Since I'm talking of a 10.5.8 PPC Mac here, then that means the Apple fix can't be used on it (I suppose for the reason SyneRyder says, the Apple fix is strictly for 64 bit). OK, so then all other consideration is moot for me. me2u1004https://www.blogger.com/profile/01766939954567799686noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-1009021642006525952014-10-05T13:19:56.337-07:002014-10-05T13:19:56.337-07:00Apple does not use bash 4.3. I've chosen to do...Apple does not use bash 4.3. I've chosen to do so here to pick up other bug fixes and improvements. Their version is substantially earlier. 4.3 is designed to be upwardly compatible and other than one report of an old version of a utility having difficulty with its installer, I have had no compatibility issues reported to me. You can temporarily roll back since the steps here save your old version of bash.<br /><br />In general, you should use the Apple provided fix. For people on a supported version of OS X, the binary I offer is a stopgap. My 10.9.5 MacBook Air uses the Apple fix.<br /><br />For people on 10.4-10.6, there is no support from Apple, and I stand by this binary (it's installed on all of my 10.4-10.6 systems). The 10.7 binary may or may not work on earlier versions of Intel Mac OS X depending on what it's linked against, and it will definitely not work at all on a Power Mac. Frankly, I would be very surprised if it worked even on Snow Leopard, let alone anything earlier.ClassicHasClasshttps://www.blogger.com/profile/17331846076856918359noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-24691683020457162202014-10-05T13:18:20.020-07:002014-10-05T13:18:20.020-07:00As far as I understand, the patches from Apple are...As far as I understand, the patches from Apple are only compiled for 64-bit Intel Macs - they won't work with 32-bit Intel 10.6 machines or anything older. Apple is also using an older version of Bash than the one provided here by TenFourFox... the Apple version is 3.2.53, whereas the ones here are 4.3.28 and compiled in a way that they will work on both PPC & Intel machines.<br /><br />I'd stick with the TenFourFox versions here, personally.SyneRyderhttps://www.blogger.com/profile/02993245630369063562noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-16546280492778599642014-10-05T11:19:22.302-07:002014-10-05T11:19:22.302-07:00For those who would prefer to have an official, Ap...For those who would prefer to have an official, Apple--provided bash fix, I ask: <br /><br />Can the fixed bash that Apple put out for 10.7 and above be used to fix the lower OSs, including down to at least 10.4 PPC?<br /><br />I ask because it occurs to me that the bash offered here supposedly is good on any OS X from 10.4 and up, PPC and Intel, through 10.9. If so, it makes sense to me that we could instead just use the official Apple bash and install that on any of the OSs with the instructions from here. (But I will say, I have confidence in one provided here by the TenFourFox people -- although I don't know anything about the source it camefrom. But I emphasize, I have no issues with it.)<br /><br />Does anyone know? And, is the Apple one as good as the one used here -- maybe Apple did the fix differently and not so good?me2u1004https://www.blogger.com/profile/01766939954567799686noreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-74639329737010527282014-10-05T10:55:32.175-07:002014-10-05T10:55:32.175-07:00Ever since I bought my first macbook pro which was...Ever since I bought my first macbook pro which was 2006 and it might have been running 10.3 back then, the operating system has had more or less problems waking from sleep. There are all of the permutations of sleep selected from the menu vs sleep by closing the lid, go to sleep with it plugged in or not, wake up plugged in or not, knock the plug out while it's asleep, etc. etc. etc. And of course I've got my machine set so that only the display sleeps if it's plugged in. It has been really quite good since about 10.6.6. But I am certainly willing to believe that the machine and/or display goes to sleep and/or wakes up via shell script, and I may be hitting some funk there. While I have had kernel panics, I've also had the machine mostly just go to sleep and not wake up. <br /><br />I pretty much always boot into single user mode and run fsck after a crash, and the only time I got an fsck error was when I had to crash the machine after I copied in the new binaries and hit "shut down" and it hung at the white screen for about 10 minutes. Yesterday I couldn't get it to wake up, so I mashed the button, booted into single-user mode and used applejack to run fsck (there's a shell script), then restarted, logged in, and it kernel panic'd as the desktop started to load. Restarted, kernel panic again. Restarted, fsck, restarted, and it's been up since. Last night when I went to bed I put it to sleep via the menu, and it woke up this morning without the slightest problem -- no problems today.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1015214236289077798.post-65323286245844724352014-10-05T08:13:08.016-07:002014-10-05T08:13:08.016-07:00Worked like a charm. Thanks!Worked like a charm. Thanks!David Ubogyhttps://www.blogger.com/profile/02975290286531015283noreply@blogger.com