fix CVE-2025-43903

Signed-off-by: 张梁鹏堃 <zhangliangpengkun@xfusion.com>
(cherry picked from commit 1212750c287bb773a773dfabae0cdca6ca5ffc98)

backport-CVE-2025-43903.patch

@@ -0,0 +1,44 @@
+From f1b9c830f145a0042e853d6462b2f9ca4016c669 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Juraj=20=C5=A0arinay?= <juraj@sarinay.com>
+Date: Thu, 6 Mar 2025 02:02:56 +0100
+Subject: [PATCH] Properly verify adbe.pkcs7.sha1 signatures.
+
+For signatures with non-empty encapsulated content
+(typically adbe.pkcs7.sha1), we only compared hash values and
+never actually checked SignatureValue within SignerInfo.
+The bug introduced by c7c0207b1cfe49a4353d6cda93dbebef4508138f
+made trivial signature forgeries possible. Fix this by calling
+NSS_CMSSignerInfo_Verify() after the hash values compare equal.
+---
+ poppler/NSSCryptoSignBackend.cc | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/poppler/NSSCryptoSignBackend.cc b/poppler/NSSCryptoSignBackend.cc
+index 521137d6b..eeea26ee3 100644
+--- a/poppler/NSSCryptoSignBackend.cc
++++ b/poppler/NSSCryptoSignBackend.cc
+@@ -877,13 +877,18 @@ SignatureValidationStatus NSSSignatureVerification::validateSignature()
+           This means it's not a detached type signature
+           so the digest is contained in SignedData->contentInfo
+         */
+-        if (digest.len == content_info_data->len && memcmp(digest.data, content_info_data->data, digest.len) == 0) {
+-            return SIGNATURE_VALID;
+-        } else {
++        if (digest.len != content_info_data->len || memcmp(digest.data, content_info_data->data, digest.len) != 0) {
+             return SIGNATURE_DIGEST_MISMATCH;
+         }
+
+-    } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
++        auto innerHashContext = HashContext::create(hashContext->getHashAlgorithm());
++        innerHashContext->updateHash(content_info_data->data, content_info_data->len);
++        digest_buffer = innerHashContext->endHash();
++        digest.data = digest_buffer.data();
++        digest.len = digest_buffer.size();
++    }
++
++    if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
+         return NSS_SigTranslate(CMSSignerInfo->verificationStatus);
+     } else {
+         return SIGNATURE_VALID;
+--
+GitLab

poppler.spec

@@ -8,7 +8,7 @@
 
 Name:    poppler
 Version: 23.12.0
-Release: 6
+Release: 7
 Summary: PDF rendering library
 License: GPLv2+ and LGPLv2+ and MIT
 URL:     http://poppler.freedesktop.org/
@@ -22,6 +22,7 @@ Patch6000: backport-CVE-2024-6239.patch
 Patch6001: backport-CVE-2024-56378.patch
 Patch6002: backport-CVE-2025-32364.patch
 Patch6003: backport-CVE-2025-32365.patch
+Patch6004: backport-CVE-2025-43903.patch
 
 BuildRequires: make
 BuildRequires: cmake
@@ -267,6 +268,9 @@ test "$(pkg-config --modversion poppler-qt6)" = "%{version}"
 %{_mandir}/man1/*
 
 %changelog
+* Sun Apr 20 2025 zhangliangpengkun <zhangliangpengkun@xfusion.com> - 23.12.0-7
+- fix CVE-2025-43903
+
 * Mon Apr 07 2025 Funda Wang <fundawang@yeah.net> - 23.12.0-6
 - fix CVE-2025-32364, CVE-2025-32365