From ad97feeb70808c40353da7cfe77441dc24b7fc31 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Juraj=20=C5=A0arinay?= Date: Thu, 6 Mar 2025 02:02:56 +0100 Subject: [PATCH] Properly verify adbe.pkcs7.sha1 signatures. For signatures with non-empty encapsulated content (typically adbe.pkcs7.sha1), we only compared hash values and never actually checked SignatureValue within SignerInfo. The bug introduced by c7c0207b1cfe49a4353d6cda93dbebef4508138f made trivial signature forgeries possible. Fix this by calling NSS_CMSSignerInfo_Verify() after the hash values compare equal. Origin: upstream 25.04.0 Gbp-Pq: Name CVE-2025-43903.patch --- poppler/NSSCryptoSignBackend.cc | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/poppler/NSSCryptoSignBackend.cc b/poppler/NSSCryptoSignBackend.cc index 521137d..eeea26e 100644 --- a/poppler/NSSCryptoSignBackend.cc +++ b/poppler/NSSCryptoSignBackend.cc @@ -877,13 +877,18 @@ SignatureValidationStatus NSSSignatureVerification::validateSignature() This means it's not a detached type signature so the digest is contained in SignedData->contentInfo */ - if (digest.len == content_info_data->len && memcmp(digest.data, content_info_data->data, digest.len) == 0) { - return SIGNATURE_VALID; - } else { + if (digest.len != content_info_data->len || memcmp(digest.data, content_info_data->data, digest.len) != 0) { return SIGNATURE_DIGEST_MISMATCH; } - } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) { + auto innerHashContext = HashContext::create(hashContext->getHashAlgorithm()); + innerHashContext->updateHash(content_info_data->data, content_info_data->len); + digest_buffer = innerHashContext->endHash(); + digest.data = digest_buffer.data(); + digest.len = digest_buffer.size(); + } + + if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) { return NSS_SigTranslate(CMSSignerInfo->verificationStatus); } else { return SIGNATURE_VALID; -- 2.30.2