Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Rosetta users beware

22 views
Skip to first unread message

Esben

unread,
Feb 3, 2012, 5:51:39 AM2/3/12
to
Updated Snow Leopard reports describe serious problems with
Rosetta-supported applications after installing Apple's Security Update
2012-001.

<http://www.macintouch.com/readerreports/snowleopard/index.html#d02feb20
12>






FUT: comp.mail.eudora.mac

Patty Winter

unread,
Feb 3, 2012, 12:14:40 PM2/3/12
to

Esben, thank you for posting this warning in the Eudora group.
I should have thought to do that yesterday when I saw the
discussion in comp.sys.mac.misc. That discussion caused me to
reject the offered security update in Software Update yesterday,
undoubtedly saving me some grief.

Here's another article, this one on MacRumors:

http://www.macrumors.com/2012/02/03/snow-leopard-security-update-kills-powerpc-apps-using-rosetta/

And one on CNET that offers ideas for backing out of the update
if you've already installed it:

http://reviews.cnet.com/8301-13727_7-57370890-263/rosetta-broken-in-os-x-10.6.8-after-security-update


Patty

Esben

unread,
Feb 3, 2012, 4:25:00 PM2/3/12
to
Yes, this thing seems quite serious. Hope they'll fix it. It's bad
enough not to be able to upgrade to Lion because of the need for
Rosetta.

I am considering running 10.6/10.4 in a virtual machine, så I'll start
experimenting with that some time soon.

Esben

David Empson

unread,
Feb 3, 2012, 11:02:46 PM2/3/12
to
Esben <es...@nospamget2net.dk> wrote:

> Patty Winter <pat...@wintertime.com> wrote:
>
> > Esben, thank you for posting this warning in the Eudora group.
> > I should have thought to do that yesterday when I saw the
> > discussion in comp.sys.mac.misc. That discussion caused me to
> > reject the offered security update in Software Update yesterday,
> > undoubtedly saving me some grief.
> >
> > Here's another article, this one on MacRumors:
> >
> > <http://www.macrumors.com/2012/02/03/snow-leopard-security-update-kills-po
> > werpc-apps-using-rosetta/>
> >
> > And one on CNET that offers ideas for backing out of the update if you've
> > already installed it:
> >
> > <http://reviews.cnet.com/8301-13727_7-57370890-263/rosetta-broken-in-os-x-
> > 10.6.8-after-security-update>
> >
>
> Yes, this thing seems quite serious. Hope they'll fix it. It's bad
> enough not to be able to upgrade to Lion because of the need for
> Rosetta.

Already fixed. Apple released a version 1.1 of Security Update 2012-001
today, and I can confirm it fixed the problems I was having in Eudora
with the Open, Save As and Print dialogs.

You can install the revised update on top of the original one.
--
David Empson
dem...@actrix.gen.nz

Peter Ceresole

unread,
Feb 3, 2012, 11:50:51 PM2/3/12
to
David Empson <dem...@actrix.gen.nz> wrote:

> Already fixed. Apple released a version 1.1 of Security Update 2012-001
> today, and I can confirm it fixed the problems I was having in Eudora
> with the Open, Save As and Print dialogs.

Presumably this is the version, labelled 1.1, now available through
'Software Update'?

I'm regularly using a couple of PPC apps, the main one being Eudora
6.2.4, and I shall hold off the update until I hear that my particular
setup (OS 10.6.8 on a 3.06 GHz Core 2 duo iMac) will survive okay.
--
Peter

David Empson

unread,
Feb 4, 2012, 12:28:35 AM2/4/12
to
Peter Ceresole <pe...@cara.demon.co.uk> wrote:

> David Empson <dem...@actrix.gen.nz> wrote:
>
> > Already fixed. Apple released a version 1.1 of Security Update 2012-001
> > today, and I can confirm it fixed the problems I was having in Eudora
> > with the Open, Save As and Print dialogs.
>
> Presumably this is the version, labelled 1.1, now available through
> 'Software Update'?

Yes. If you had already installed the original security update, Software
Update will offer version 1.1, and you can install it on top of the
original one (I did it this way).

If you hadn't yet installed Security Update 2012-001, you can now
install it via Software Update and you will get version 1.1 and will
avoid the problem.

Apple also updated the manual download images, which you can access via
<http://support.apple.com/downloads>. These pages have the download
links:

<http://support.apple.com/kb/DL1489> for Mac OS X 10.6.8
<http://support.apple.com/kb/DL1490> for Mac OS X Server 10.6.8

It appears that Apple replaced the download images and updated these
pages without changing the knowledge base article number, and they also
didn't mention the version number on the page.

The way to tell you have the right version is to be subscribed to
Apple's security announcements mailing lists, where they announce all
new software updates with security fixes. They published the SHA1 digest
of the original and revised versions in the relevant messages, and you
can check those against the web page and check it yourself on the
downloaded .dmg file to ensure you have the right version.

The original security update 2012-001 v1.0 had the following SHA
digests:

For Mac OS X v10.6.8
The download file is named: SecUpd2012-001Snow.dmg
Its SHA-1 digest is: 40875ee8cb609bbaefc8f421a9c34cc353db42b8

For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-001.dmg
Its SHA-1 digest is: 53b3ca5548001a9920aeabed4a034c6e4657fe20

The revised security update 2012-001 v1.1 has the following SHA digests:

For Mac OS X v10.6.8
The download file is named: SecUpd2012-001Snow.dmg
Its SHA-1 digest is: 29218a1a28efecd15b3033922d71f0441390490a

For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-001.dmg
Its SHA-1 digest is: 105bdebf2e07fc5c0127f482276ccb7b6b631199

You can check the SHA1 digest of the downloaded files with the following
command in Terminal:

openssl sha1 path_to_file

The easiest way to do this is to type the first part "openssl sha1 "
then drag-and-drop the .dmg file into the Terminal window, which pastes
its path, then press Return.

For example, here is the output when I did this myself to check I had
the right version:

% openssl sha1 /Users/dempson/Downloads/SecUpd2012-001Snow.dmg
SHA1(/Users/dempson/Downloads/SecUpd2012-001Snow.dmg)=
29218a1a28efecd15b3033922d71f0441390490a

> I'm regularly using a couple of PPC apps, the main one being Eudora
> 6.2.4, and I shall hold off the update until I hear that my particular
> setup (OS 10.6.8 on a 3.06 GHz Core 2 duo iMac) will survive okay.

I'm running Eudora 6.2.4 on Mac OS X 10.6.8 on a mid 2010 MacBook Pro,
but the Mac model is very unlikely to matter - the relevant parts of the
system software are identical for all Mac models.

If you are that worried about the Mac model being a factor, and nobody
with the same model confirms it is OK, then I suggest you make a clone
backup of your system, then install Security Update 2012-001 version
1.1, then immediately check Eudora can get into the Open, Save As and
Print dialogs without crashing.

If it doesn't work, then you can restore from your backup, or reinstall
Snow Leopard from the original DVD and apply all offered software
updates except for Security Update 2012-001. (You should manually
install Security Update 2011-006 instead. You can download it from
<http://support.apple.com/kb/DL1467>.)

--
David Empson
dem...@actrix.gen.nz

John H Meyers

unread,
Feb 4, 2012, 12:29:38 PM2/4/12
to
On 2/3/2012 11:14 AM, Patty Winter wrote:

> Here's another article, this one on MacRumors

Apple seems to move fast,
when all the world is watching its gaffe:

http://eudorabb.qualcomm.com/showthread.php?t=19364

Well, it woke up this sleepy group, anyway,
after more than a week's solid hibernation :)

--

Peter Ceresole

unread,
Feb 4, 2012, 12:39:45 PM2/4/12
to
David Empson <dem...@actrix.gen.nz> wrote:

> Yes. If you had already installed the original security update, Software
> Update will offer version 1.1, and you can install it on top of the
> original one (I did it this way).

Thank you; reassured, I just ran 'Software update' and all seems well.

And thanks to the OP here for the warning.
--
Peter

Esben

unread,
Feb 5, 2012, 7:06:39 AM2/5/12
to
Glad it helped! I always appreciate a heads-up myself!

Esben
OP

John H Meyers

unread,
Feb 8, 2012, 11:19:56 PM2/8/12
to
There seems to be a downside to version 1.1 of Security Update 2012-001,
but which users of PPC apps can not avoid, because either applying 1.1
or never even applying the original update
leaves the same situation of known vulnerabilities that aren't fixed:

In <http://tidbits.com/e/12768> Adam Engst says:

"Version 1.1 of this update removes the ImageIO security fixes
released in Security Update 2012-001" [an Apple statement]

"For what it’s worth, the now-removed ImageIO security fixes
revolve around eliminating vulnerabilities that could be exploited
by maliciously crafted TIFF and PNG images, and there’s
no way users can identify and avoid such files."

"The next time a security update comes out, much as I hate to say it,
hold off on updating for at least a few days. Enough other people
will install it that reports of problems will percolate through the
community quickly, and you can make a more-informed decision after a while."

Please refer to the complete article for other good points and comments.

--

David Empson

unread,
Feb 9, 2012, 5:09:15 AM2/9/12
to
John H Meyers <jhme...@nomail.invalid> wrote:

> There seems to be a downside to version 1.1 of Security Update 2012-001,
> but which users of PPC apps can not avoid, because either applying 1.1
> or never even applying the original update
> leaves the same situation of known vulnerabilities that aren't fixed:
>
> In <http://tidbits.com/e/12768> Adam Engst says:
>
> "Version 1.1 of this update removes the ImageIO security fixes
> released in Security Update 2012-001" [an Apple statement]
>
> "For what it's worth, the now-removed ImageIO security fixes
> revolve around eliminating vulnerabilities that could be exploited
> by maliciously crafted TIFF and PNG images, and there's
> no way users can identify and avoid such files."

That was evident immediately, since Apple's security-announce message
said that the v1.1 update removed the ImageIO security fixes from the
original update.

The crash is more serious than one known security vulnerability. The
situation is much worse for anyone who insists on continuing to run Mac
OS X 10.6.7 or earlier (or is stuck on 10.5.8 or earlier due to having
an older Mac), since those system versions have multiple probable and/or
known vulnerabilities.

I expect Apple decided the best solution was to urgently roll back that
particular security fix, and then develop and test a repaired version of
that fix in the next regularly scheduled security update (or sooner).

> "The next time a security update comes out, much as I hate to say it,
> hold off on updating for at least a few days. Enough other people
> will install it that reports of problems will percolate through the
> community quickly, and you can make a more-informed decision after a while."

Or install it first on a non-critical system, or make sure you back up
first so you can easily restore if problems arise.

I'll be doing the latter, if I haven't upgraded to Lion by the time the
next security update is released.

--
David Empson
dem...@actrix.gen.nz

David Morrison

unread,
Feb 9, 2012, 7:45:48 AM2/9/12
to
In article <1kf7zah.1mx8iqn9u6sxqN%dem...@actrix.gen.nz>,
dem...@actrix.gen.nz (David Empson) wrote:
> Or install it first on a non-critical system, or make sure you back up
> first so you can easily restore if problems arise.
>
> I'll be doing the latter, if I haven't upgraded to Lion by the time the
> next security update is released.

otoh, any security fix has likely been around for quite some time -
months or years - and a few more days is hardly going to increase the
likelihood of your system being compromised.

I think holding off a few days is going to save a lot of work restoring.
0 new messages