Ghost, CVE-2015-0235

January 28, 2015

As tech news are buzzing with another bug that might affect Linux servers out there in the wild, let’s keep in mind that the Ghost vulnerability affects glibc versions prior to v2.18. Therefore those running on glibc v2.18/19/20 are safe from CVE-2015-0235.

Most recent Linux distributions are thus bundled with either glibc v2.18 or v2.19. Distributions providing long term support (LTS) and which were released prior to May 2013 might include older versions that carry the vulnerability.

Check for your glibc version as follows, on Debian based run dpkg -l | grep “GNU C Library” and RPM based (i.e RHEL, CentOS, Fedora, openSUSE) do rpm -qva | grep glibc.

Alternately, you could compile the following tool as provided by the University of Chicago.


#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
  if (retval == ERANGE) {
    puts("not vulnerable");
  puts("should not happen");

Compile the code as follows: gcc ghost.c -o ghost Run it as: ./ghost

If your system is vulnerable, update glibc package from your distro repository (most distributions have synced their repos with a patched version) and reload applications using the “libc” library. To get a list of processes/apps using the library, do: lsof | grep libc | awk ‘{print $1}’ | uniq