mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-13 21:18:11 +01:00

Files

Thomas Eizinger 9079010767 Update RUSTSEC-2022-0009.md (#1186 )

* Update RUSTSEC-2022-0009.md

We published a semver compatible upgrade that includes the security fix.

* A 0.30.x point release has been issued; include it

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>

2022-02-07 15:18:27 +01:00

664 B

Raw Blame History

[advisory]
id = "RUSTSEC-2022-0009"
package = "libp2p-core"
date = "2022-02-07"
categories = ["crypto-failure"]

[affected]
functions = { "libp2p_core::PeerRecord::from_signed_envelope" = [">= 0.30.0-rc.1"] }

[versions]
unaffected = ["< 0.30.0-rc.1"]
patched = ["^ 0.30.2", ">= 0.31.1"]

Failure to verify the public key of a `SignedEnvelope` against the `PeerId` in a `PeerRecord`

Affected versions of this crate did not check that the public key the signature was created with matches the peer ID of the peer record. Any combination was considered valid.

This allows an attacker to republish an existing PeerRecord with a different PeerId.

664 B Raw Blame History

Failure to verify the public key of a SignedEnvelope against the PeerId in a PeerRecord

664 B

Raw Blame History

Failure to verify the public key of a `SignedEnvelope` against the `PeerId` in a `PeerRecord`