OSX: bash的更新

本文尽量详述目前来说的更新bash的进展,包括下面几个部分:

  • 最全最新的更新安装包
  • 测试已知的bash漏洞
  • 脚本编译更新版本
  • 手动更新

1. 最全最新的更新安装包:

最近犹他大学(University of Utah)的Richard Glaser发布了自己开发的一个集成适合于OS X从10.5到10.10的bash更新包,它将bash更新到目前最新的3.2.56版本, 相比较Apple官方的3.2.53(1)要信,而且修复了(宣称的,因为目前没有更多的信息显示56版本是否真正修复了)那些已知的危险漏洞(后面列出,并有脚本测试)。

下面是公布的原文:

Here is a OS X installer for the latest official GNU bash release version, 3.2.56 and will be updated to new releases when available. 

The bash is universal runs on 32/64-bit, PowerPC, Intel architectures and supports and has been tested on OS X 10.5 thur OS X 10.10 

http://www.mac-mgrs.utah.edu/ downloads/osx_gnu_bash_ installer.zip 

Our institution is very decentralized and primarily there was a need to apply latest GNU bash patch to non=Apple supported OS’s like OS 10.6/10.5, but for those security conscious or paranoid could use it on supported OS X versions. 

Here is the SHA1 256 checksums 

?        OS X 10.5-10.10 - bash version 3.2.56 

         bed4178f4bdf05ad2d5c396fb3ed97 331e62e35836fae1410e20f0e05a77 c13e 

        ?        OS X 10.5-10.10 - sh version 3.2.56 

         f51a83aaad5d15b34753998cb81061 eb63ffe1a28f8876db0a0ea2f04f28 e3b1 

The installer backups current bash install incase you need to revert back to previous version. See installer read me for details. 

Hope this is useful to the community. 

Let me know if you have any suggestions, comments or problems.

2. 测试已知的bash漏洞:

另外一个技术人员,编写了一个检查目前可知的bash漏洞的脚本,原脚本可以从这里获得。为了方便阅读,在最后附上。

下面是使用该脚本测试上面3.2.56版本的补丁结果:

<span style="font-family: Arial, Helvetica, sans-serif;">
$ bashcheck.sh
Testing /bin/bash ...
GNU bash, version 3.2.56(1)-release (x86_64-apple-darwin9)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)</span>

相比较Apple官方的3.2.53(1)的检测结果:

$ ./bashbash.sh
Testing /bin/bash ...
GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin14) 

Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
Variable function parser inactive, likely safe from unknown parser bugs

3. 自己编译更新版本

另外,TJ Luoma发布了一个脚本,它从opensource.apple.com网站下载的最新bash源程序,并从gnu.org上下载各个更新补丁,使用xcode来为之重新编译。目前它也是3.2.56版本。

4.
手动更新

这个是如何手动的解释,详细查看AlBlue的解释。

-----

bash-check脚本

#!/bin/bash

warn() {
	if [ "$scary" == "1" ]; then
		echo -e "\033[91mVulnerable to $1\033[39m"
	else
		echo -e "\033[93mFound non-exploitable $1\033[39m"
	fi
}

good() {
	echo -e "\033[92mNot vulnerable to $1\033[39m"
}

[ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
echo -e "\033[95mTesting $bash ..."
echo $($bash --version | head -n 1)
echo -e "\033[39m"

#r=`a="() { echo x;}" $bash -c a 2>/dev/null`
if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
	scary=1
elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env 'BASH_FUNC_<a>%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [<..>%%, apple], bugs not exploitable\033[39m"
	scary=0
else
	echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
	scary=0
fi

r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
if [ -n "$r" ]; then
	warn "CVE-2014-6271 (original shellshock)"
else
	good "CVE-2014-6271 (original shellshock)"
fi

cd /tmp;rm echo 2>/dev/null
env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
	warn "CVE-2014-7169 (taviso bug)"
else
	good "CVE-2014-7169 (taviso bug)"
fi

$($bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>/tmp/bashcheck.tmp)
ret=$?
grep -q AddressSanitizer /tmp/bashcheck.tmp
if [ $? == 0 ] || [ $ret == 139 ]; then
	warn "CVE-2014-7186 (redir_stack bug)"
else
	good "CVE-2014-7186 (redir_stack bug)"
fi

$bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
if [ $? != 0 ]; then
	warn "CVE-2014-7187 (nested loops off by one)"
else
	echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
fi

$($bash -c "f(){ x(){ _;};x(){ _;}<<a;}" 2>/dev/null)
if [ $? != 0 ]; then
	warn "CVE-2014-6277 (lcamtuf bug #1)"
else
	good "CVE-2014-6277 (lcamtuf bug #1)"
fi

if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
else
	good "CVE-2014-6278 (lcamtuf bug #2)"
fi

bash-fix脚本

#!/bin/zsh -f
# recompile bash -
# 	http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851
#
# From:	Timothy J. Luoma
# Mail:	luomat at gmail dot com
# Date:	2014-09-25, Updated 2014-09-29

NAME="bash-fix.sh"

	# This should match Xcode in many variations, betas, etc.
XCODE=`find /Applications -maxdepth 1 -type d -iname xcode\*.app -print`

if [[ "$XCODE" == "" ]]
then
	echo "$NAME [FATAL]: Xcode is required, but not installed. Please install Xcode from the Mac App Store."

	open 'macappstore://itunes.apple.com/us/app/xcode/id497799835?mt=12'

	exit 1
fi

zmodload zsh/datetime

function timestamp { strftime "%Y-%m-%d--%H.%M.%S" "$EPOCHSECONDS" }
function log { echo "$NAME [`timestamp`]: [email protected]" | tee -a "$LOG" }

function die
{
	echo "\n$NAME [FATAL]: [email protected]"
	exit 1
}

function msg
{
	echo "\n	$NAME [INFO]: [email protected]"
}

TIME=$(strftime "%Y-%m-%d-at-%H.%M.%S" "$EPOCHSECONDS")

LOG="$HOME/Library/Logs/$NAME.$TIME.txt"

[[ -d "$LOG:h" ]] || mkdir -p "$LOG:h"
[[ -e "$LOG" ]]   || touch "$LOG"

cd "$HOME/Desktop" || cd

mkdir -p bash-fix

cd bash-fix

ORIG_DIR="$PWD"

##################################################################################################

msg "Downloading and uncompressing Apple's 'bash' source code..."

curl --progress-bar -fL https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -

EXIT="$?"

if [ "$EXIT" = "0" ]
then
	msg "Successfully downloaded bash source from Apple.com"
else
	die "curl or tar failed (\$EXIT = $EXIT)"

fi

cd bash-92/bash-3.2

msg "CWD is now $PWD"

##################################################################################################

msg "Downloading and applying bash32-052 from gnu.org..."
curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0

EXIT="$?"

if [ "$EXIT" = "0" ]
then
	msg "patch bash32-052 successfully applied"
else
	die "patch bash32-052 FAILED"
fi

##################################################################################################

msg "Downloading and applying bash32-053 from gnu.org..."
curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0

EXIT="$?"

if [ "$EXIT" = "0" ]
then
	msg "patch bash32-053 successfully applied"
else
	die "patch bash32-053 FAILED"
fi

##################################################################################################

msg "Downloading and applying bash32-054 from gnu.org..."
curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0

EXIT="$?"

if [ "$EXIT" = "0" ]
then
	msg "patch bash32-054 successfully applied"
else
	die "patch bash32-054 FAILED"
fi

##################################################################################################

msg "Downloading and applying bash32-055 from gnu.org..."
curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-055 | patch -p0

EXIT="$?"

if [ "$EXIT" = "0" ]
then
	msg "patch bash32-055 successfully applied"
else
	die "patch bash32-055 FAILED"
fi

##################################################################################################

msg "Downloading and applying bash32-056 from gnu.org..."
curl --progress-bar -fL https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-056 | patch -p0

EXIT="$?"

if [ "$EXIT" = "0" ]
then
	msg "patch bash32-056 successfully applied"
else
	die "patch bash32-056 FAILED"
fi

##################################################################################################

cd ..

msg "CWD is now $PWD"

echo -n "$NAME is about to run xcodebuild and its output redirected to $ORIG_DIR/xcodebuild.log. If it does not succeed, check the log for error messages.\n\nThis could take a few minutes. Please wait... "

xcodebuild 2>&1 >>| "$ORIG_DIR/xcodebuild.log"

EXIT="$?"

if [ "$EXIT" = "0" ]
then
	msg "xcodebuild exited successfully."

else
	die "xcodebuild failed (\$EXIT = $EXIT). See $ORIG_DIR/xcodebuild.log for details."
	exit 1
fi

	# Play a sound to tell them the build finished
[[ -e /System/Library/Sounds/Glass.aiff ]] && afplay /System/Library/Sounds/Glass.aiff

if [ -e 'build/Release/bash' ]
then
	msg "Here is the _NEW_ version number for bash (must be 3.2.52(1) or later):"

	build/Release/bash --version # GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13)
else
	die "build/Release/bash does not exist. See $PWD/xcodebuild.log for details."
fi

if [ -e 'build/Release/sh' ]
then
	msg "Here is the _NEW_ version number for sh (must be 3.2.52(1) or later):"

	build/Release/sh --version   # GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13)

else
	die "build/Release/sh does not exist. See $PWD/xcodebuild.log for details."
fi

####################################################################################
#
# 2014-09-29: disabled test section because it only tests first vulnerability.
# 2014-09-29: TODO: Add tests for each vulnerability to verify it was fixed
#
# 	$NAME: About to run test of new bash:
#
# 	You should see 'hello' but you should NOT see the word 'vulnerable':
#
# Press Return/Enter to run test: "
#
# read PROMPT_TO_CONTINUE
#
# env x='() { :;}; echo vulnerable' build/Release/bash -c 'echo hello' 2>/dev/null

echo "\n\n"

read "?$NAME: Ready to install newly compiled 'bash' and 'sh'? [Y/n]: " ANSWER

case "$ANSWER" in
	N*|n*)
			echo "$NAME: OK, not installing"
			exit 0
	;;
esac

cat <<EOINPUT

$NAME: About to replace the vulnerable versions of /bin/bash and /bin/sh with the new, patched versions.
	The.$TIME ones will be backed up to /bin/bash.$TIME and /bin/sh.$TIME respectively

Please enter your administrator password (if prompted):
EOINPUT

	# This will prompt user for admin password
sudo -v

##################################################################################################

msg "Moving /bin/bash to /bin/bash.$TIME: "
sudo /bin/mv -vf /bin/bash "/bin/bash.$TIME"	|| die "Failed to move /bin/bash to /bin/bash.$TIME"

msg "Installing build/Release/bash to /bin/bash: "
sudo cp -v build/Release/bash /bin/bash

if [ "$?" != "0" ]
then
	sudo mv -vf "/bin/bash.$TIME" /bin/bash
	die "Failed to move build/Release/bash to /bin/bash. Restored /bin/bash.$TIME to /bin/bash"
fi

##################################################################################################

msg "Moving /bin/sh to /bin/sh.$TIME: "
sudo /bin/mv -vf /bin/sh   "/bin/sh.$TIME" 	|| die "Failed to move /bin/sh to /bin/sh.$TIME"

msg "Installing build/Release/sh to /bin/sh: "
sudo cp -v build/Release/sh /bin/sh

if [ "$?" != "0" ]
then
	sudo mv -vf "/bin/sh.$TIME" /bin/sh
	die "Failed to move build/Release/sh to /bin/sh. Restored /bin/sh.$TIME to /bin/sh"
fi

##################################################################################################

msg "Removing executable bit from /bin/bash.$TIME"

sudo /bin/chmod a-x "/bin/bash.$TIME"  	|| msg "WARNING: Failed to remove executable bit from /bin/bash.$TIME"

msg "Removing executable bit from /bin/sh.$TIME"

sudo /bin/chmod a-x "/bin/sh.$TIME" 	|| msg "WARNING: Failed to remove executable bit from /bin/sh.$TIME"

msg "$NAME has finished successfully."

read "?Do you want to move $ORIG_DIR to ~/.Trash/? [Y/n]  " ANSWER

case "$ANSWER" in
	N*|n*)
			echo "$NAME: Not moving $ORIG_DIR."
			exit 0
	;;

	*)
			mv -vn "$ORIG_DIR" "$HOME/.Trash/$ORIG_DIR.$EPOCHSECONDS"
			exit 0
	;;

esac

exit
#
#EOF

时间: 2024-10-11 00:13:12

OSX: bash的更新的相关文章

Mac OSX bash命令执行自动 scp

Mac OSX 10.13.3 系统下亲测没问题,直接看代码: #!/bin/bash lfname=tencentcloud_poc_ljl_0009 #这里是任何bash 命令 ls printf "\n"; printf "starting scp $lfname-1.0-2.app.zip....\n"; printf "\n"; #这里开始利用 expect 执行scp 并实现自动输入密码 /usr/bin/expect<<

OSX下Xcode更新后,Git提示确认证书

$ git ***     "Agreeing to the Xcode/iOS license requires admin privileges, please re-run as root via sudo." 起因:更新了Xcode之后,没有主动去同意新的用户协议说明书,导致git指令不能正常使用 解决办法: 先执行: $ sudo xcodebuild -license 然后一直按空格键"Space",到最后提示你通过键入三个选择项agree print

OSX下 pip更新及安装python库

直接执行安装命令 $ pip install builtwith 提示pip当前版本为7.1.2,要使用"pip install --upgrade pip"升级到8.1.2 $ pip install --upgrade pip 报错如下: Cannot fetch index base URL https://pypi.mirrors.ustc.edu.cn/simple/ 提示信息表示找不到镜像网站,有可能是镜像源失效了,或者国外的源被墙了.修改为国内可访问的源 $ vim ~/

Bash on Windows各种配置

原创文,最初发布于szhshp的第三边境研究所, 转载请注明 安装 PowerShell里面执行 Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux 重启电脑 配置 apt-get换源 原文件重命名备份 sudo mv /etc/apt/sources.list /etc/apt/source.list.bak 编辑源列表文件 sudo vim /etc/apt/sources.

rpm程序包管理器详解

1. 程序包管理器的功能 我们知道,由程序员编写并提供的程序源代码要转换成目标二进制格式才能在计算机上运行起来,但用户要在平台上使用时需要手动编译安装后才能使用,对于普通用户来说有一定难度.因此为了降低普通用户对应用程序的使用难度,程序员可在提供源代码的同时提供已在特定环境下编译好的程序文件,只要用户的平台环境和程序员的平台环境相同,就可以通过解压程序员提供的二进制格式文件即可使用,而无需自己手动编译安装. 一个已编译好的程序由二进制程序.库文件.配置文件和帮助手册等组成,而程序包管理器的功能就

文本工具常用用法

1.head命令显示文档前面指定的区域-n <行数>:指定显示内容的行数-c <字符数>:指定显示内容的字符数-v :总是显示文件名 (查看多文件的时候默认显示文件名)-q :不显示文件 (查看多文件可以隐藏文件名) 显示前面三行 [[email protected] ~]# head -n3 /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemo

用github创建个人网站

这篇文章完全参考这个博客,应为写的很清楚,所以我要备份一下.感谢大神. 很多开源项目托管平台都支持为托管的项目建立主页,但主页的维护方式都没有GitHub这么酷.大多数托管平台无非是开放一个FTP或类似服务,用户把制作好的网页或脚本上传了事,而在GitHub用户通过创建特殊名称的Git版本库或在Git库中建立特别的分支实现对主页的维护. 1. 创建个人主页 GitHub 为每一个用户分配了一个二级域名<user-id>.github.io,用户为自己的二级域名创建主页很容易,只要在托管空间下创

ubuntu16.04上opencv安装

环境:ubuntu16.04 opencv:opencv3.4.0 下载地址:https://opencv.org/opencv-3-4.html 1. 安装cmake和一些依赖库 $ sudo apt-get install cmake $ sudo apt-get install build-essential libgtk2.0-dev libavcodec-dev libavformat-dev libjpeg.dev libtiff4.dev libswscale-dev libjas

宝塔搭建laravel所需要的lnmp环境linux-nginx-mysql-php-composer-git

示例是使用 CentOS 7.4 哈:如果还没有服务器建议购买阿里云的或者是腾讯云的:这台服务器需要是未安装过 php 的环境:如果服务器已经被折腾过一番:建议备份下数据后重装下环境:阿里云和腾讯云都有重装系统的选项: 一般应用于生产环境的的服务器都是安装的不带桌面的版本 linux 系统:面对着黑乎乎的命令行窗口:对于不熟悉服务器的童鞋来说:搭建 LNMP 环境来说是一件比较折腾的事:即便是稍微熟悉点的童鞋管理服务器也会觉得繁琐:这时候如果可以通过界面代替命令行来操作服务器那想必是极好的:宝塔