Vulnerability Report: Unsanitized signedPeerRecord in Identify (Python)

### Summary

The Python Identify implementation accepts signedPeerRecord without validation.
An attacker can forward a valid signed PeerRecord from another peer, causing address poisoning / identity spoofing.

This is equivalent to the [Go libp2p Identify vulnerability](https://osv.dev/vulnerability/CVE-2023-40583)
, which has already been patched.

### Expected behavior

identify: reject signed peer records on peer ID mismatch
and make ConsumeEnvelope harder to misuse

### Actual behavior

accept signed peer records on peer ID mismatch

### Relevant log output

```shell

```

### Possible Solution

Add strict validation for signedPeerRecord in parse_identify_response to prevent identity spoofing and peerstore poisoning.
There is a similar fix [logic](https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd)

### Environment

```shell

```

### Would you like to work on fixing this bug ?

Yes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Vulnerability Report: Unsanitized signedPeerRecord in Identify (Python) #958

Summary

Expected behavior

Actual behavior

Relevant log output

Possible Solution

Environment

Would you like to work on fixing this bug ?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Vulnerability Report: Unsanitized signedPeerRecord in Identify (Python) #958

Description

Summary

Expected behavior

Actual behavior

Relevant log output

Possible Solution

Environment

Would you like to work on fixing this bug ?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions