apply glibc update if vulnerable to CVE-2015-0235

playbooks/roles/security/files/tmp/GHOST.c

+/*
+ * GHOST vulnerability check
+ * http://www.openwall.com/lists/oss-security/2015/01/27/9
+ * Usage: gcc GHOST.c -o GHOST && ./GHOST
+ */ 
+ 
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#define CANARY "in_the_coal_mine"
+
+struct {
+  char buffer[1024];
+  char canary[sizeof(CANARY)];
+} temp = { "buffer", CANARY };
+
+int main(void) {
+  struct hostent resbuf;
+  struct hostent *result;
+  int herrno;
+  int retval;
+
+  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
+  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
+  char name[sizeof(temp.buffer)];
+  memset(name, '0', len);
+  name[len] = '\0';
+
+  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
+
+  if (strcmp(temp.canary, CANARY) != 0) {
+    puts("vulnerable");
+    exit(EXIT_SUCCESS);
+  }
+  if (retval == ERANGE) {
+    puts("OK");
+    exit(EXIT_SUCCESS);
+  }
+  puts("should not happen");
+  exit(EXIT_FAILURE);
+}

playbooks/roles/security/tasks/security-ubuntu.yml

@@ -48,3 +48,24 @@
   when: "'vulnerable' in test_vuln.stdout"
   register: test_vuln
   failed_when: "'vulnerable' in test_vuln.stdout"
+
+#### GHOST security vulnerability
+
+- name: GHOST.c
+  copy: >
+    src=tmp/GHOST.c
+    dest=/tmp/GHOST.c
+    owner=root group=root
+
+- name: compile GHOST
+  shell: gcc -o /tmp/GHOST /tmp/GHOST.c
+
+- name: Check if we are vulnerable
+  shell: /tmp/GHOST
+  register: test_ghost_vuln
+  ignore_errors: yes
+
+- name: Apply glibc security update if we are vulnerable
+  apt: name=libc6 state=latest update_cache=true
+  when: "'vulnerable' in test_ghost_vuln.stdout"
+