OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-31 08:40:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add entry for libp2p-core vulnerability (#1182)

Browse Source 
* Add entry for libp2p-core vulnerability

* Update crates/libp2p-core/RUSTSEC-0000-0000.md

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>

* Update crates/libp2p-core/RUSTSEC-0000-0000.md

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
This commit is contained in:
Thomas Eizinger
2022-02-07 11:49:19 +11:00
committed by GitHub
parent b2a864d3d9
commit ec4cc26a33
1 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
crates/libp2p-core/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,21 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "libp2p-core"
date = "2022-02-07"
categories = ["crypto-failure"]
[affected]
functions = { "libp2p_core::PeerRecord::from_signed_envelope" = [">= 0.30.0-rc.1"] }
[versions]
unaffected = ["< 0.30.0-rc.1"]
patched = [">= 0.31.1"]
```
# Failure to verify the public key of a `SignedEnvelope` against the `PeerId` in a `PeerRecord`
Affected versions of this crate did not check that the public key the signature was created with matches the peer ID of the peer record.
Any combination was considered valid.
This allows an attacker to republish an existing `PeerRecord` with a different `PeerId`.