Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.lang.python > #85165

Re: Ghost vulnerability

Date 2015-02-03 10:31 -0700
From Michael Torrie <torriem@gmail.com>
Subject Re: Ghost vulnerability
References <75fe0f21-3ffb-4649-ad06-0dcbdad631fa@googlegroups.com> <vg3wq3zpbi9.fsf@coffee.modeemi.fi> <54d0aeb9$0$12994$c3e8da3$5496439d@news.astraweb.com>
Newsgroups comp.lang.python
Message-ID <mailman.18437.1422984725.18130.python-list@python.org> (permalink)

Show all headers | View raw


On 02/03/2015 04:19 AM, Steven D'Aprano wrote:
> Anssi Saari wrote:
> 
>> Rustom Mody <rustompmody@gmail.com> writes:
>>
>>> How many people (actually machines) out here are vulnerable?
>>>
>>>
> http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure
>>>
>>> shows a python 1-liner to check
>>
>> Does that check actually work for anyone? That code didn't segfalt on my
>> vulnerable Debian system but it did on my router which isn't (since the
>> router doesn't use glibc). Oh and of course I can't comment on
>> stinkexchange since I don't have whatever mana points they require...
> 
> Here's the one-liner:
> 
> python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)'
> 
> 
> I think it is likely that y="0"*50000000 would segfault due to lack of
> memory on many machines. I wouldn't trust this as a test.

I ran it on both my servers (each running a different version of the OS)
which were recently updated to Red Hat's latest version of glibc that
fixes the problem, and both of them segfault with this one liner.

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

Ghost vulnerability Rustom Mody <rustompmody@gmail.com> - 2015-02-02 19:53 -0800
  Re: Ghost vulnerability Chris Angelico <rosuav@gmail.com> - 2015-02-03 15:38 +1100
  Re: Ghost vulnerability Anssi Saari <as@sci.fi> - 2015-02-03 11:53 +0200
    Re: Ghost vulnerability Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-02-03 22:19 +1100
      Re: Ghost vulnerability Michael Torrie <torriem@gmail.com> - 2015-02-03 10:31 -0700
      Re: Ghost vulnerability Anssi Saari <as@sci.fi> - 2015-02-03 21:38 +0200
        Re: Ghost vulnerability Chris Angelico <rosuav@gmail.com> - 2015-02-04 09:08 +1100
        Re: Ghost vulnerability Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-02-04 13:13 +1100
  Re: Ghost vulnerability Marc Aymerich <glicerinu@gmail.com> - 2015-02-03 18:47 +0100

csiph-web