If you’re looking to test if your system is still vulnerable to GHOST (CVE-2015-0235), here are some simple one-liners. These can quickly be used in scripts to run tests.
One-liners
In python:
$ /usr/sbin/clockdiff `python -c "print '0' * $((0x10000 - 16 * 1 - 2 * 4 - 1 - 4))" ` Segmentation fault $ echo $? 139
In PHP:
$ php -r '$e = "0";for($i = 0; $i < 2500; $i++){ $e = "0$e"; } gethostbyname($e);'
Segmentation fault
$ echo $?
139
Both scripts will return a Segmentation Fault if the system is vulnerable. The PHP script can be run as a non-privileged user, for the Python example you’ll need root privileges to run the clockdiff tool. You can use the exit/return code in scripts (should be 139) to test if your system is still vulnerable.
Red Hat bash script
Red Hat also offers a GHOST shell-script you can run, which verifies the changelog of the glibc packages in the RPM database.
#!/bin/bash
#Version 3
echo "Installed glibc version(s)"
rv=0
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')
echo -n "- $glibc_nvr: "
if [ "$glibc_maj" -gt 2 -o \
\( "$glibc_maj" -eq 2 -a "$glibc_min" -ge 18 \) ]; then
# fixed upstream version
echo 'not vulnerable'
else
# all RHEL updates include CVE in rpm %changelog
if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
echo "not vulnerable"
else
echo "vulnerable"
rv=1
fi
fi
done
if [ $rv -ne 0 ]; then
cat <<EOF
This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps
EOF
fi
exit $rv
Save the script somewhere, make it executable and run it.
$ ./ghost.sh Installed glibc version(s) - glibc-2.12-1.149.el6_6.4.x86_64: vulnerable This system is vulnerable to CVE-2015-0235. Please refer to for remediation steps
Happy patching!