CVE-2017-17066

NameCVE-2017-17066
DescriptionThe (1) i2pd before 2.17 and (2) kovri pre-alpha implementations of the I2P routing protocol do not properly handle Garlic DeliveryTypeTunnel packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading sensitive router memory, aka the GarlicRust bug.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
i2pd (PTS)buster2.23.0-1fixed
bullseye2.36.0-1fixed
bookworm2.45.1-1fixed
sid2.51.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
i2pdsource(unstable)(not affected)

Notes

- i2pd <not-affected> (Fixed before/with the initial upload to Debian)
Issue fixed with 2.17.0 upstream
Search for package or bug name: Reporting problems