packages/poppler
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!130 [sync] PR-129: fix CVE-2025-43903

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @weidongkl 
Signed-off-by: @weidongkl
This commit is contained in:
openeuler-ci-bot 2025-04-20 11:36:56 +00:00 committed by Gitee
commit 5d4747ce8f
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
backport-CVE-2025-43903.patch Normal file
View File

@ -0,0 +1,44 @@
From f1b9c830f145a0042e853d6462b2f9ca4016c669 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juraj=20=C5=A0arinay?= <juraj@sarinay.com>
Date: Thu, 6 Mar 2025 02:02:56 +0100
Subject: [PATCH] Properly verify adbe.pkcs7.sha1 signatures.
For signatures with non-empty encapsulated content
(typically adbe.pkcs7.sha1), we only compared hash values and
never actually checked SignatureValue within SignerInfo.
The bug introduced by c7c0207b1cfe49a4353d6cda93dbebef4508138f
made trivial signature forgeries possible. Fix this by calling
NSS_CMSSignerInfo_Verify() after the hash values compare equal.
---
poppler/NSSCryptoSignBackend.cc | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/poppler/NSSCryptoSignBackend.cc b/poppler/NSSCryptoSignBackend.cc
index 521137d6b..eeea26ee3 100644
--- a/poppler/NSSCryptoSignBackend.cc
+++ b/poppler/NSSCryptoSignBackend.cc
@@ -877,13 +877,18 @@ SignatureValidationStatus NSSSignatureVerification::validateSignature()
This means it's not a detached type signature
so the digest is contained in SignedData->contentInfo
*/
- if (digest.len == content_info_data->len && memcmp(digest.data, content_info_data->data, digest.len) == 0) {
- return SIGNATURE_VALID;
- } else {
+ if (digest.len != content_info_data->len || memcmp(digest.data, content_info_data->data, digest.len) != 0) {
return SIGNATURE_DIGEST_MISMATCH;
}
- } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
+ auto innerHashContext = HashContext::create(hashContext->getHashAlgorithm());
+ innerHashContext->updateHash(content_info_data->data, content_info_data->len);
+ digest_buffer = innerHashContext->endHash();
+ digest.data = digest_buffer.data();
+ digest.len = digest_buffer.size();
+ }
+
+ if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
return NSS_SigTranslate(CMSSignerInfo->verificationStatus);
} else {
return SIGNATURE_VALID;
--
GitLab

6
poppler.spec
View File

@ -8,7 +8,7 @@
Name: poppler
Version: 23.12.0
Release: 6
Release: 7
Summary: PDF rendering library
License: GPLv2+ and LGPLv2+ and MIT
URL: http://poppler.freedesktop.org/
@ -22,6 +22,7 @@ Patch6000: backport-CVE-2024-6239.patch
Patch6001: backport-CVE-2024-56378.patch
Patch6002: backport-CVE-2025-32364.patch
Patch6003: backport-CVE-2025-32365.patch
Patch6004: backport-CVE-2025-43903.patch
BuildRequires: make
BuildRequires: cmake
@ -267,6 +268,9 @@ test "$(pkg-config --modversion poppler-qt6)" = "%{version}"
%{_mandir}/man1/*
%changelog
* Sun Apr 20 2025 zhangliangpengkun <zhangliangpengkun@xfusion.com> - 23.12.0-7
- fix CVE-2025-43903
* Mon Apr 07 2025 Funda Wang <fundawang@yeah.net> - 23.12.0-6
- fix CVE-2025-32364, CVE-2025-32365