poppler/backport-CVE-2025-43903.patch

From f1b9c830f145a0042e853d6462b2f9ca4016c669 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juraj=20=C5=A0arinay?= <juraj@sarinay.com>
Date: Thu, 6 Mar 2025 02:02:56 +0100
Subject: [PATCH] Properly verify adbe.pkcs7.sha1 signatures.

For signatures with non-empty encapsulated content
(typically adbe.pkcs7.sha1), we only compared hash values and
never actually checked SignatureValue within SignerInfo.
The bug introduced by c7c0207b1cfe49a4353d6cda93dbebef4508138f
made trivial signature forgeries possible. Fix this by calling
NSS_CMSSignerInfo_Verify() after the hash values compare equal.
---
 poppler/NSSCryptoSignBackend.cc | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/poppler/NSSCryptoSignBackend.cc b/poppler/NSSCryptoSignBackend.cc
index 521137d6b..eeea26ee3 100644
--- a/poppler/NSSCryptoSignBackend.cc
+++ b/poppler/NSSCryptoSignBackend.cc
@@ -877,13 +877,18 @@ SignatureValidationStatus NSSSignatureVerification::validateSignature()
           This means it's not a detached type signature
           so the digest is contained in SignedData->contentInfo
         */
-        if (digest.len == content_info_data->len && memcmp(digest.data, content_info_data->data, digest.len) == 0) {
-            return SIGNATURE_VALID;
-        } else {
+        if (digest.len != content_info_data->len || memcmp(digest.data, content_info_data->data, digest.len) != 0) {
             return SIGNATURE_DIGEST_MISMATCH;
         }

-    } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
+        auto innerHashContext = HashContext::create(hashContext->getHashAlgorithm());
+        innerHashContext->updateHash(content_info_data->data, content_info_data->len);
+        digest_buffer = innerHashContext->endHash();
+        digest.data = digest_buffer.data();
+        digest.len = digest_buffer.size();
+    }
+
+    if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
         return NSS_SigTranslate(CMSSignerInfo->verificationStatus);
     } else {
         return SIGNATURE_VALID;
--
GitLab
转换LFS仓库为普通仓库 2025-05-18 17:07:04 +00:00			`From f1b9c830f145a0042e853d6462b2f9ca4016c669 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Juraj=20=C5=A0arinay?= <juraj@sarinay.com>`
			`Date: Thu, 6 Mar 2025 02:02:56 +0100`
			`Subject: [PATCH] Properly verify adbe.pkcs7.sha1 signatures.`

			`For signatures with non-empty encapsulated content`
			`(typically adbe.pkcs7.sha1), we only compared hash values and`
			`never actually checked SignatureValue within SignerInfo.`
			`The bug introduced by c7c0207b1cfe49a4353d6cda93dbebef4508138f`
			`made trivial signature forgeries possible. Fix this by calling`
			`NSS_CMSSignerInfo_Verify() after the hash values compare equal.`
			`---`
			`poppler/NSSCryptoSignBackend.cc \| 13 +++++++++----`
			`1 file changed, 9 insertions(+), 4 deletions(-)`

			`diff --git a/poppler/NSSCryptoSignBackend.cc b/poppler/NSSCryptoSignBackend.cc`
			`index 521137d6b..eeea26ee3 100644`
			`--- a/poppler/NSSCryptoSignBackend.cc`
			`+++ b/poppler/NSSCryptoSignBackend.cc`
			`@@ -877,13 +877,18 @@ SignatureValidationStatus NSSSignatureVerification::validateSignature()`
			`This means it's not a detached type signature`
			`so the digest is contained in SignedData->contentInfo`
			`*/`
			`- if (digest.len == content_info_data->len && memcmp(digest.data, content_info_data->data, digest.len) == 0) {`
			`- return SIGNATURE_VALID;`
			`- } else {`
			`+ if (digest.len != content_info_data->len \|\| memcmp(digest.data, content_info_data->data, digest.len) != 0) {`
			`return SIGNATURE_DIGEST_MISMATCH;`
			`}`

			`- } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {`
			`+ auto innerHashContext = HashContext::create(hashContext->getHashAlgorithm());`
			`+ innerHashContext->updateHash(content_info_data->data, content_info_data->len);`
			`+ digest_buffer = innerHashContext->endHash();`
			`+ digest.data = digest_buffer.data();`
			`+ digest.len = digest_buffer.size();`
			`+ }`
			`+`
			`+ if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {`
			`return NSS_SigTranslate(CMSSignerInfo->verificationStatus);`
			`} else {`
			`return SIGNATURE_VALID;`
			`--`
			`GitLab`