From ec4cc26a337fbdb92196a6ee79dd9c610c955be5 Mon Sep 17 00:00:00 2001
From: Thomas Eizinger <thomas@eizinger.io>
Date: Mon, 7 Feb 2022 11:49:19 +1100
Subject: [PATCH] Add entry for libp2p-core vulnerability (#1182)

* Add entry for libp2p-core vulnerability

* Update crates/libp2p-core/RUSTSEC-0000-0000.md

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>

* Update crates/libp2p-core/RUSTSEC-0000-0000.md

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
---
 crates/libp2p-core/RUSTSEC-0000-0000.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 crates/libp2p-core/RUSTSEC-0000-0000.md

diff --git a/crates/libp2p-core/RUSTSEC-0000-0000.md b/crates/libp2p-core/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..344038b
--- /dev/null
+++ b/crates/libp2p-core/RUSTSEC-0000-0000.md
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "libp2p-core"
+date = "2022-02-07"
+categories = ["crypto-failure"]
+
+[affected]
+functions = { "libp2p_core::PeerRecord::from_signed_envelope" = [">= 0.30.0-rc.1"] }
+
+[versions]
+unaffected = ["< 0.30.0-rc.1"]
+patched = [">= 0.31.1"]
+```
+
+# Failure to verify the public key of a `SignedEnvelope` against the `PeerId` in a `PeerRecord`
+
+Affected versions of this crate did not check that the public key the signature was created with matches the peer ID of the peer record. 
+Any combination was considered valid.
+
+This allows an attacker to republish an existing `PeerRecord` with a different `PeerId`.