Properly verify adbe.pkcs7.sha1 signatures.

For signatures with non-empty encapsulated content
(typically adbe.pkcs7.sha1), we only compared hash values and
never actually checked SignatureValue within SignerInfo.
The bug introduced by c7c0207b1cfe49a4353d6cda93dbebef4508138f
made trivial signature forgeries possible. Fix this by calling
NSS_CMSSignerInfo_Verify() after the hash values compare equal.

Origin: upstream 25.04.0

Gbp-Pq: Name CVE-2025-43903.patch

diff --git a/poppler/NSSCryptoSignBackend.cc b/poppler/NSSCryptoSignBackend.cc
index 521137d6b834fba094e10dc1e2e140ae7b047032..eeea26ee3540579a7e868dc389e39617bcedabb8 100644 (file)
--- a/poppler/NSSCryptoSignBackend.cc
+++ b/poppler/NSSCryptoSignBackend.cc
@@ -877,13 +877,18 @@ SignatureValidationStatus NSSSignatureVerification::validateSignature()
           This means it's not a detached type signature
           so the digest is contained in SignedData->contentInfo
         */
-        if (digest.len == content_info_data->len && memcmp(digest.data, content_info_data->data, digest.len) == 0) {
-            return SIGNATURE_VALID;
-        } else {
+        if (digest.len != content_info_data->len || memcmp(digest.data, content_info_data->data, digest.len) != 0) {
             return SIGNATURE_DIGEST_MISMATCH;
         }
 
-    } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
+        auto innerHashContext = HashContext::create(hashContext->getHashAlgorithm());
+        innerHashContext->updateHash(content_info_data->data, content_info_data->len);
+        digest_buffer = innerHashContext->endHash();
+        digest.data = digest_buffer.data();
+        digest.len = digest_buffer.size();
+    }
+
+    if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
         return NSS_SigTranslate(CMSSignerInfo->verificationStatus);
     } else {
         return SIGNATURE_VALID;