Skip to content

Instantly share code, notes, and snippets.

Created April 9, 2014 12:08
What would you like to do?
List apps linked against a potentially heartbleed-vulnerable openssl on your Mac
for i in /usr/local/{bin,sbin}/*; do otool -L $i; done | sed -e '/^.*is not an object file.*$/d' -e 's|^\(/.*\):$|@\1|' | awk 'BEGIN { RS="@" } !/ssl/ { next } !/^[[:space:]]*(\/.*ssl\.0.9.8.*\.dylib)/ { print $1 }'
Copy link

Interesting things I discovered during this exercise:
• common system tools use all the wrong default behaviours for 2014. Who the heck wants BRE? Where's negative lookahead assertion? Why won't awk match form feed? This gist could be a lot shorter / sensible.
• you can force sed to ERE with -E. No such option exists for awk.
• saving two characters in your sed command by using 3 to turn on ERE is not a win, even if the regexp is slightly more readable.
• this gist will give false positives, because otool reports e.g. openssl 1.0.1g as 1.0.0 so its not possible to just match vulnerable versions, as vulnerable and not vulnerable 1.0's appear the same. Fixing this doubles the command length, more or less.
• renewed their SSL cert quickly. Good Guy Github :)
• option+8 makes dots. ••••••••••••••••••••
• ᗧ • • • ᗣ

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment