diff --git a/backport-CVE-2025-43903.patch b/backport-CVE-2025-43903.patch new file mode 100644 index 0000000000000000000000000000000000000000..041364659964d34542c6412336db18e500de0dcf --- /dev/null +++ b/backport-CVE-2025-43903.patch @@ -0,0 +1,45 @@ +From f1b9c830f145a0042e853d6462b2f9ca4016c669 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Juraj=20=C5=A0arinay?= +Date: Thu, 6 Mar 2025 02:02:56 +0100 +Subject: [PATCH] Properly verify adbe.pkcs7.sha1 signatures. + +For signatures with non-empty encapsulated content +(typically adbe.pkcs7.sha1), we only compared hash values and +never actually checked SignatureValue within SignerInfo. +The bug introduced by c7c0207b1cfe49a4353d6cda93dbebef4508138f +made trivial signature forgeries possible. Fix this by calling +NSS_CMSSignerInfo_Verify() after the hash values compare equal. +--- + poppler/NSSCryptoSignBackend.cc | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/poppler/NSSCryptoSignBackend.cc b/poppler/NSSCryptoSignBackend.cc +index 521137d6b..eeea26ee3 100644 +--- a/poppler/NSSCryptoSignBackend.cc ++++ b/poppler/NSSCryptoSignBackend.cc +@@ -877,13 +877,18 @@ SignatureValidationStatus NSSSignatureVerification::validateSignature() + This means it's not a detached type signature + so the digest is contained in SignedData->contentInfo + */ +- if (digest.len == content_info_data->len && memcmp(digest.data, content_info_data->data, digest.len) == 0) { +- return SIGNATURE_VALID; +- } else { ++ if (digest.len != content_info_data->len || memcmp(digest.data, content_info_data->data, digest.len) != 0) { + return SIGNATURE_DIGEST_MISMATCH; + } + +- } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) { ++ auto innerHashContext = HashContext::create(hashContext->getHashAlgorithm()); ++ innerHashContext->updateHash(content_info_data->data, content_info_data->len); ++ digest_buffer = innerHashContext->endHash(); ++ digest.data = digest_buffer.data(); ++ digest.len = digest_buffer.size(); ++ } ++ ++ if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) { + return NSS_SigTranslate(CMSSignerInfo->verificationStatus); + } else { + return SIGNATURE_VALID; +-- +GitLab + diff --git a/poppler.spec b/poppler.spec index c5a8d4e34958128f027c790b13b05a95ab2163e1..ec94d5052ec6a5893ddec75010a6e2ebe8122674 100644 --- a/poppler.spec +++ b/poppler.spec @@ -8,7 +8,7 @@ Name: poppler Version: 23.12.0 -Release: 6 +Release: 7 Summary: PDF rendering library License: GPLv2+ and LGPLv2+ and MIT URL: http://poppler.freedesktop.org/ @@ -22,6 +22,7 @@ Patch6000: backport-CVE-2024-6239.patch Patch6001: backport-CVE-2024-56378.patch Patch6002: backport-CVE-2025-32364.patch Patch6003: backport-CVE-2025-32365.patch +Patch6004: backport-CVE-2025-43903.patch BuildRequires: make BuildRequires: cmake @@ -267,6 +268,9 @@ test "$(pkg-config --modversion poppler-qt6)" = "%{version}" %{_mandir}/man1/* %changelog +* Sun Apr 20 2025 zhangliangpengkun - 23.12.0-7 +- fix CVE-2025-32364, CVE-2025-32365 + * Mon Apr 07 2025 Funda Wang - 23.12.0-6 - fix CVE-2025-32364, CVE-2025-32365