I suggest applying the attached patch.--- dhcp.c 2019-07-30 00:00:00.0 +
+++ dhcp.c 2019-08-12 00:00:00.0 +
@@ -1146,6 +1146,8 @@ int pumpDhcpRelease(struct pumpNetIntf *
free(intf->hostname);
if (intf->set & PUMP_NETINFO_HAS_DOMAIN)
free(intf->domain);
+if (int
I suggest applying the attached patch.--- dhcp.c 2019-07-30 00:00:00.0 +
+++ dhcp.c 2019-08-12 00:00:00.0 +
@@ -1263,7 +1263,8 @@ static void buildRequest(struct bootpReq
addClientIdentifier(flags, req);
-aShort = ntohs(sizeof(struct bootpRequest));
+aShort
Package: pump
Version: 0.8.24-7.1
Severity: minor
intf->nisDomain is not freed in pumpDhcpRelease() unlike intf->domain and
intf->hostname.
Package: pump
Version: 0.8.24-7.1
Severity: minor
Pump can copy bytes from a memory area beyond struct bootpRequest when
the length field of the last DHCP option is greater than the number of
remaining bytes in bootpRequest. This does not seem to have security
implications because this area contai
Package: pump
Version: 0.8.24-7.1
Severity: normal
Currently pump recognizes but ignores DHCP_OPTION_OVERLOAD. According to
RFC2131, clients MUST interpret the 'file' and 'sname' fields as DHCP
options if 'option overload' indicates so.
Control: retitle -1 Non-conformant value of "Maximum DHCP Message Size"
option
Control: retitle -1 Non-conformant value of "Maximum DHCP Message Size"
option
Package: pump
Version: 0.8.24-7.1
Severity: normal
This daemon sends "Maximum DHCP Message Size" option with a value equal to
sizeof(struct bootpRequest) but "the minimum legal value is 576 octets"
according to RFC2132 (i.e., it should include not only sizeof(struct
bootpRequest) but also size of
Package: pump
Version: 0.8.24-7.1
Severity: grave
Tags: security
There is a missing check in source file dhcp.c, function
handleTransaction(), line 958 when copying body of the server response to
struct bootpRequest bresp. Ethernet packet length can be greater than
sizeof(*bresp) == 548 but handle
9 matches
Mail list logo
