Ghost vulnerability
Michael Torrie
torriem at gmail.com
Tue Feb 3 12:31:54 EST 2015
On 02/03/2015 04:19 AM, Steven D'Aprano wrote:
> Anssi Saari wrote:
>
>> Rustom Mody <rustompmody at gmail.com> writes:
>>
>>> How many people (actually machines) out here are vulnerable?
>>>
>>>
> http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure
>>>
>>> shows a python 1-liner to check
>>
>> Does that check actually work for anyone? That code didn't segfalt on my
>> vulnerable Debian system but it did on my router which isn't (since the
>> router doesn't use glibc). Oh and of course I can't comment on
>> stinkexchange since I don't have whatever mana points they require...
>
> Here's the one-liner:
>
> python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)'
>
>
> I think it is likely that y="0"*50000000 would segfault due to lack of
> memory on many machines. I wouldn't trust this as a test.
I ran it on both my servers (each running a different version of the OS)
which were recently updated to Red Hat's latest version of glibc that
fixes the problem, and both of them segfault with this one liner.
More information about the Python-list
mailing list