mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
poppler: fix CVE-2025-43903
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-43903 Upstream patch: https://gitlab.freedesktop.org/poppler/poppler/-/commit/f1b9c830f145a0042e853d6462b2f9ca4016c669 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
5c4b61d38a
commit
45bddd258a
@@ -0,0 +1,54 @@
|
|||||||
|
From f1b9c830f145a0042e853d6462b2f9ca4016c669 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Juraj sarinay <juraj@sarinay.com>
|
||||||
|
Date: Thu, 6 Mar 2025 02:02:56 +0100
|
||||||
|
Subject: [PATCH] Properly verify adbe.pkcs7.sha1 signatures.
|
||||||
|
|
||||||
|
For signatures with non-empty encapsulated content
|
||||||
|
(typically adbe.pkcs7.sha1), we only compared hash values and
|
||||||
|
never actually checked SignatureValue within SignerInfo.
|
||||||
|
The bug introduced by c7c0207b
|
||||||
|
made trivial signature forgeries possible. Fix this by calling
|
||||||
|
NSS_CMSSignerInfo_Verify() after the hash values compare equal.
|
||||||
|
|
||||||
|
CVE: CVE-2025-43903
|
||||||
|
Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/f1b9c830f145a0042e853d6462b2f9ca4016c669]
|
||||||
|
|
||||||
|
Changes:
|
||||||
|
- Refresh patch context as per the source code.
|
||||||
|
|
||||||
|
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
|
||||||
|
---
|
||||||
|
poppler/SignatureHandler.cc | 13 ++++++++-----
|
||||||
|
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/poppler/SignatureHandler.cc b/poppler/SignatureHandler.cc
|
||||||
|
index 6538239..4008b2c 100644
|
||||||
|
--- a/poppler/SignatureHandler.cc
|
||||||
|
+++ b/poppler/SignatureHandler.cc
|
||||||
|
@@ -969,16 +969,19 @@ SignatureValidationStatus SignatureHandler::validateSignature()
|
||||||
|
This means it's not a detached type signature
|
||||||
|
so the digest is contained in SignedData->contentInfo
|
||||||
|
*/
|
||||||
|
- if (memcmp(digest.data, content_info_data->data, hash_length) == 0 && digest.len == content_info_data->len) {
|
||||||
|
- PORT_Free(digest_buffer);
|
||||||
|
- return SIGNATURE_VALID;
|
||||||
|
- } else {
|
||||||
|
+ if (digest.len != content_info_data->len || memcmp(digest.data, content_info_data->data, digest.len) != 0) {
|
||||||
|
PORT_Free(digest_buffer);
|
||||||
|
return SIGNATURE_DIGEST_MISMATCH;
|
||||||
|
}
|
||||||
|
|
||||||
|
- } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
|
||||||
|
+ auto innerHashContext = HASH_Create(getHashAlgorithm());
|
||||||
|
+ HASH_Update(innerHashContext, content_info_data->data, content_info_data->len);
|
||||||
|
+ HASH_End(innerHashContext, digest_buffer, &result_len, hash_length);
|
||||||
|
+ digest.data = digest_buffer;
|
||||||
|
+ digest.len = hash_length;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
+ if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
|
||||||
|
PORT_Free(digest_buffer);
|
||||||
|
return NSS_SigTranslate(CMSSignerInfo->verificationStatus);
|
||||||
|
} else {
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
@@ -13,6 +13,7 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
|
|||||||
file://CVE-2024-56378.patch \
|
file://CVE-2024-56378.patch \
|
||||||
file://CVE-2025-32364.patch \
|
file://CVE-2025-32364.patch \
|
||||||
file://CVE-2025-32365.patch \
|
file://CVE-2025-32365.patch \
|
||||||
|
file://CVE-2025-43903.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "813fb4b90e7bda63df53205c548602bae728887a60f4048aae4dbd9b1927deff"
|
SRC_URI[sha256sum] = "813fb4b90e7bda63df53205c548602bae728887a60f4048aae4dbd9b1927deff"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user