如何升級Mac OSX Snow Leopard中的Bash [並將其設置爲正確的路徑]？

Question

我想在我的Mac OS X Snow Leopard（10.6.8）中更新我的Bash（和Sh）程序，因爲最近發生的錯誤 - Shellshock。我故意使用10.6.8，所以我現在不想更新到更新版本的OS X.

我已閱讀過此Q & A - How do I upgrade Bash in Mac OSX Mountain Lion and set it the correct path?但它不適用於我，因爲我沒有安裝[home？] brew（或Xcode或任何編譯器等）。我只是在Max OS X平臺上進行編程。

順便說一句，我在終端上鍵入釀造更新我得到這樣的輸出：

[489]$ brew update 
-bash: brew: command not found 

那麼，哪些步驟（從零開始），我需要做的是能夠安裝固定版本的bash for OS X 10.6.8？
它是：

1. 安裝的XCode 3.2.6（我currenlty下載4.1 GB的安裝文件現在）
2. 安裝自制
3. 按照How do I upgrade Bash in Mac OSX Mountain Lion and set it the correct path?步驟（雖然如何？）？

或者，因爲我使用OS X 10.6.8，是否需要從某處下載Bash代碼並使用XCode 3.2.6（或4.2，如果我付錢）編譯它並手動替換/ bin/bash和/ bin/sh文件？如我所說，我是一個新手，在Mac上是這樣的，但我確實有[過時的]編程經驗。

謝謝。

Answer 1

Homebrew是Mac的包管理系統。很多人用它來管理mysql，python和（正如你可能猜到的）bash。 Homebrew所做的只是安裝這些軟件包，並將它們提供給用戶。雖然有些人做使用它作爲bash，與自制軟件更新bash不保護他們的整個系統免受shellshock（我的團隊今天測試和確定）。

我建議你做的是爲你的OS X版本下載XCode，下載xcode命令行實用程序（通過轉到首選項 - >下載 - >命令行實用程序），然後運行我編寫的腳本。要清楚，這個腳本只是簡單地跟在the same steps outlined here之後，我只是讓開發團隊更容易更新。

您可以將此代碼複製到一個可執行bash腳本，並使用./bash-fixer.sh

#!/bin/bash 
# In all good conscience, I can not guarantee anything in this script. 
# I've tested it to the best of my ability, but please use at your own risk 

    if [ "$EUID" -eq 0 ]; then 
     echo "DO NOT RUN AS SUDO! Running as sudo will break the world and will make your computer very unhappy." 
     echo "There are commands later that are appropriately sudo'd." 
     exit 1 
    fi 

    xcode-select --version 

    if [[ $? != 0 ]] ; then 
     echo "You need to install the xcode stuff that makes magic. Let's try that together" 
     xcode-select --install || echo "Something broke. Try running \"xcode-select --install\" manually" && exit 1 
    fi 

    cd ~/ 
    test=$(env x='() { :;}; echo vulnerable' bash -c 'echo hello' | wc -l) 

    if [[ ${test} -lt 2 ]]; then 
     echo "Your version of bash is up to date" 
    else 
     mkdir -p bash-fix 
     cd bash-fix 
     curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf - 
     cd bash-92/bash-3.2 
     for i in $(seq -f "%03g" 52 54); do 
     curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-$i | patch -p0 
     done 
     cd .. 

     xcodebuild 
     sudo cp /bin/bash /bin/bash.old 
     sudo cp /bin/sh /bin/sh.old 

     echo 
     echo 
     echo "Current version of bash is $(build/Release/bash --version | head -1 | awk -F "version " '{ print $2 }')" 
     echo "Current version of sh is $(build/Release/sh --version | head -1 | awk -F "version " '{ print $2 }')" 

     if [[ $(build/Release/bash --version) =~ "3.2.54(1)-release" && $(build/Release/sh --version) =~ "3.2.54(1)-release" ]]; then 
     echo "So far so good. Let's do some more checks, because we like dilligence" 
     else 
     echo "The bash and shell versions are not showing up as being the most recent. Something is afoot!" 
     exit 1 
     fi 

     if [[ "${test}" < 2 ]]; then 
     echo "Your version of bash is up to date" 
     exit 0 
     else 
     echo "Something went horribly wrong!" 
     exit 1 
     fi 

     echo "Awesome. All checks have passed. Cleaning up, and removing executable privaleges from the old bash and sh, just in case" 
     sudo cp build/Release/bash /bin 
     sudo cp build/Release/sh /bin 
     sudo chmod a-x /bin/bash.old /bin/sh.old 

    fi 

讓我知道你是怎麼做出來運行它，祝你好運！

Answer 2

請注意，Apple在2014-09-29發佈了一組官方補丁版本的Bash。然而，這種支持只能追溯到獅子，而不是回到雪豹。所以，你仍然堅持在Snow Leopard上構建和安裝你自己的補丁版本。

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 

APPLE-SA-2014-09-29-1 OS X bash Update 1.0 

OS X bash Update 1.0 is now available and addresses the following: 

Bash 
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, 
OS X Mavericks v10.9.5 
Impact: In certain configurations, a remote attacker may be able to execute arbitrary 
shell commands 
Description: An issue existed in Bash's parsing of environment variables. This issue was 
addressed through improved environment variable parsing by better detecting the end of 
the function statement. 
This update also incorporated the suggested CVE-2014-7169 change, which resets the 
parser state. 
In addition, this update added a new namespace for exported functions by creating a 
function decorator to prevent unintended header passthrough to Bash. The names of all 
environment variables that introduce function definitions are required to have a 
prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via 
HTTP headers. 
CVE-ID 
CVE-2014-6271 : Stephane Chazelas 
CVE-2014-7169 : Tavis Ormandy 


OS X bash Update 1.0 may be obtained from the following webpages: 
http://support.apple.com/kb/DL1767 – OS X Lion 
http://support.apple.com/kb/DL1768 – OS X Mountain Lion 
http://support.apple.com/kb/DL1769 – OS X Mavericks 

To check that bash has been updated: 

* Open Terminal 
* Execute this command: 
bash --version 
* The version after applying this update will be: 
OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) 
OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12) 
OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11) 

Information will also be posted to the Apple Security Updates 
web site: http://support.apple.com/kb/HT1222 

This message is signed with Apple's Product Security PGP key, 
and details are available at: 
https://www.apple.com/support/security/pgp/ 

-----BEGIN PGP SIGNATURE----- 
Version: GnuPG/MacGPG2 v2.0.22 (Darwin) 

iQIcBAEBAgAGBQJUKdToAAoJEBcWfLTuOo7t4QEP/jrigiLB9GYO5JIdVHSFPUtx 
MBr4hAe90LnyAIuhxny1PgAC8BZCPv4otm6DQBQSlX1PxLv8TWm8yp5IKCKJP6ZN 
Smm+OqJLLWwcTOVv345bi5W9dp2nyZVLjWxx9MUfn4YLxKrBJ3fKyHWIycD0WpbD 
4kfXW1G1JGTtyUX6Ge2lnhbOiYBPxJN2TSX4qEmix3KLmEwCwsZVgbjzW2ijNO0O 
3AaUkFIICAECMCE+VZj/fGFQaEmYaPzpt3Tjy+X2NdXL8E0hnui4ymfU0DyR39Oz 
8DQpP499hISeXucdAEH6b2mMO2pOmuDs6FWTSS6talT8ftLUpTmWqv2Rghto5ZXN 
b8RZpOp9RUwurZPMq66BjbHfidEaLjMPCVcfAnjO6HwBaKGQ5kM5+ThPA5/DLSL6 
gGPa4t3qM/JdQAzm8da9m62vjWZ1BXzIlLSmxpIq/5bDMpBNiA783f+uuDUjpQ/N 
3SkKNn2U47VsCLYaoSSmL6FUBLsInnNvwkVyNsnMiEjMVn/BtV5ogAYAc8SSvGM7 
Mlx9OBKYork0bNuViPK09j/8te74tt6t38B+0lb4mG5m1r2CyI96f2uVBpKkqDlj 
K6INwsDZKqtg1Y+6xtnJb9F3ZNZarzSxZa2C8qKaVCH11vLaXVPJJCrYspWnV8yI 
DrlKtF9VhcfUGTKJiRNX 
=ZVVk 
-----END PGP SIGNATURE—— 

Answer 3

http://hacksagogo.wordpress.com/2014/10/02/shell-shock-os-x-bash-update-installer-for-snow-leopard/

下面是瘋狂的，不稱職的麻煩製造者，在方孔圓形釘。那些以不同的方式看待事物的人......並且仍在運行雪豹。

1.-打開bashUpdateLion.pkg在PackageMaker

2：轉到項目/原始編輯模式和修改功能「InstallationCheck」和「VolumeCheck」在文件中「分配」，看起來像這樣：

function InstallationCheck(prefix) { 
    return true; } 

function VolumeCheck(prefix) { 
    return true; } 

3.-點擊「Build」，並選擇安裝程序包的名稱。

這是所有鄉親。

Answer 4

你也可以做到這一點在所有終端式（給獅子更新包）：

# pkgutil --expand ~/BashUpdateLion.pkg ~/BashUpdate 
# vi ~/BashUpdate/Distribution 

編輯InstallationCheck和VolumeCheck功能，閱讀這樣的：

function InstallationCheck(prefix) { 
    return true; 
} 
function VolumeCheck(prefix) { 
    return true; 
} 

最後又壓平下降到安裝包

# pkgutil --flatten ~/BashUpdate ~/Desktop/BashUpdateModified.pkg