projects / poppler.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e1468f8) | patch
Properly verify adbe.pkcs7.sha1 signatures.
authorJuraj Šarinay <juraj@sarinay.com>
Thu, 6 Mar 2025 01:02:56 +0000 (02:02 +0100)
committerJeremy Bícha <jbicha@ubuntu.com>
Sun, 31 Aug 2025 18:01:36 +0000 (14:01 -0400)
commitd26459746fdeed0bbae0cbd8156fcbb607ef2027
treeb85818888869ddf359a50d756bceeabf90e014a0tree | snapshot
parente1468f8800a1ae8a1f3ccbb046fea9523b4c0af1commit | diff
Properly verify adbe.pkcs7.sha1 signatures.

For signatures with non-empty encapsulated content
(typically adbe.pkcs7.sha1), we only compared hash values and
never actually checked SignatureValue within SignerInfo.
The bug introduced by c7c0207b1cfe49a4353d6cda93dbebef4508138f
made trivial signature forgeries possible. Fix this by calling
NSS_CMSSignerInfo_Verify() after the hash values compare equal.

Origin: upstream 25.04.0

Gbp-Pq: Name CVE-2025-43903.patch
poppler/NSSCryptoSignBackend.cc diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.