summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYogita Urade <yogita.urade@windriver.com>2025-04-28 12:52:48 +0000
committerArmin Kuster <akuster808@gmail.com>2025-05-17 12:20:48 -0600
commit56bca048316237ae872cbaffe54be02656d5ebba (patch)
treee7625087412d9e3996945b5f3638c7780b100e9c
parenta0b54655b573eb627ba4cb7453ce8f856e4cbe33 (diff)
downloadmeta-openembedded-56bca048316237ae872cbaffe54be02656d5ebba.tar.gz
poppler: fix CVE-2025-43903
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries. CVE-2025-43903-0001 is the dependent commit and CVE-2025-43903-0002 is the actual CVE fix. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-43903 Upstream patches: https://gitlab.freedesktop.org/poppler/poppler/-/commit/33672ca1b6670f7378e24f6d475438f7f5d86b05 https://gitlab.freedesktop.org/poppler/poppler/-/commit/f1b9c830f145a0042e853d6462b2f9ca4016c669 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-oe/recipes-support/poppler/poppler/CVE-2025-43903-0001.patch75
-rw-r--r--meta-oe/recipes-support/poppler/poppler/CVE-2025-43903-0002.patch49
-rw-r--r--meta-oe/recipes-support/poppler/poppler_23.04.0.bb2
3 files changed, 126 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/poppler/poppler/CVE-2025-43903-0001.patch b/meta-oe/recipes-support/poppler/poppler/CVE-2025-43903-0001.patch
new file mode 100644
index 0000000000..d18ff08ea0
--- /dev/null
+++ b/meta-oe/recipes-support/poppler/poppler/CVE-2025-43903-0001.patch
@@ -0,0 +1,75 @@
1From 33672ca1b6670f7378e24f6d475438f7f5d86b05 Mon Sep 17 00:00:00 2001
2From: Sune Vuorela <sune@vuorela.dk>
3Date: Mon, 22 May 2023 19:53:08 +0000
4Subject: [PATCH] Fix crash with weird hashing used for signatures
5
6CVE: CVE-2025-43903
7Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/33672ca1b6670f7378e24f6d475438f7f5d86b05]
8
9Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
10---
11 poppler/SignatureHandler.cc | 15 ++++++++++++---
12 poppler/SignatureHandler.h | 7 ++++++-
13 2 files changed, 18 insertions(+), 4 deletions(-)
14
15diff --git a/poppler/SignatureHandler.cc b/poppler/SignatureHandler.cc
16index 9916300..f0b7006 100644
17--- a/poppler/SignatureHandler.cc
18+++ b/poppler/SignatureHandler.cc
19@@ -768,11 +768,11 @@ SignatureVerificationHandler::SignatureVerificationHandler(std::vector<unsigned
20 SECItem usedAlgorithm = NSS_CMSSignedData_GetDigestAlgs(CMSSignedData)[0]->algorithm;
21 auto hashAlgorithm = SECOID_FindOIDTag(&usedAlgorithm);
22 HASH_HashType hashType = HASH_GetHashTypeByOidTag(hashAlgorithm);
23- hashContext = std::make_unique<HashContext>(ConvertHashTypeFromNss(hashType));
24+ hashContext = HashContext::create(ConvertHashTypeFromNss(hashType));
25 }
26 }
27
28-SignatureSignHandler::SignatureSignHandler(const std::string &certNickname, HashAlgorithm digestAlgTag) : hashContext(std::make_unique<HashContext>(digestAlgTag)), signing_cert(nullptr)
29+SignatureSignHandler::SignatureSignHandler(const std::string &certNickname, HashAlgorithm digestAlgTag) : hashContext(HashContext::create(digestAlgTag)), signing_cert(nullptr)
30 {
31 SignatureHandler::setNSSDir({});
32 signing_cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), certNickname.c_str());
33@@ -1232,7 +1232,16 @@ std::vector<unsigned char> HashContext::endHash()
34 return digestBuffer;
35 }
36
37-HashContext::HashContext(HashAlgorithm algorithm) : hash_context { HASH_Create(HASH_GetHashTypeByOidTag(ConvertHashAlgorithmToNss(algorithm))) }, digest_alg_tag(algorithm) { }
38+HashContext::HashContext(HashAlgorithm algorithm, private_tag) : hash_context { HASH_Create(HASH_GetHashTypeByOidTag(ConvertHashAlgorithmToNss(algorithm))) }, digest_alg_tag(algorithm) { }
39+
40+std::unique_ptr<HashContext> HashContext::create(HashAlgorithm algorithm)
41+{
42+ auto ctx = std::make_unique<HashContext>(algorithm, private_tag {});
43+ if (ctx->hash_context) {
44+ return ctx;
45+ }
46+ return {};
47+}
48
49 HashAlgorithm HashContext::getHashAlgorithm() const
50 {
51diff --git a/poppler/SignatureHandler.h b/poppler/SignatureHandler.h
52index c9fb575..f1b319f 100644
53--- a/poppler/SignatureHandler.h
54+++ b/poppler/SignatureHandler.h
55@@ -51,12 +51,17 @@ static const int maxSupportedSignatureSize = 10000;
56
57 class HashContext
58 {
59+ class private_tag
60+ {
61+ };
62+
63 public:
64- explicit HashContext(HashAlgorithm algorithm);
65+ HashContext(HashAlgorithm algorithm, private_tag);
66 void updateHash(unsigned char *data_block, int data_len);
67 std::vector<unsigned char> endHash();
68 HashAlgorithm getHashAlgorithm() const;
69 ~HashContext() = default;
70+ static std::unique_ptr<HashContext> create(HashAlgorithm algorithm);
71
72 private:
73 struct HashDestroyer
74--
752.40.0
diff --git a/meta-oe/recipes-support/poppler/poppler/CVE-2025-43903-0002.patch b/meta-oe/recipes-support/poppler/poppler/CVE-2025-43903-0002.patch
new file mode 100644
index 0000000000..dc2d1e7e6d
--- /dev/null
+++ b/meta-oe/recipes-support/poppler/poppler/CVE-2025-43903-0002.patch
@@ -0,0 +1,49 @@
1From f1b9c830f145a0042e853d6462b2f9ca4016c669 Mon Sep 17 00:00:00 2001
2From: Juraj sarinay <juraj@sarinay.com>
3Date: Thu, 6 Mar 2025 02:02:56 +0100
4Subject: [PATCH] Properly verify adbe.pkcs7.sha1 signatures.
5
6For signatures with non-empty encapsulated content
7(typically adbe.pkcs7.sha1), we only compared hash values and
8never actually checked SignatureValue within SignerInfo.
9The bug introduced by c7c0207b1cfe49a4353d6cda93dbebef4508138f
10made trivial signature forgeries possible. Fix this by calling
11NSS_CMSSignerInfo_Verify() after the hash values compare equal.
12
13CVE: CVE-2025-43903
14Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/f1b9c830f145a0042e853d6462b2f9ca4016c669]
15
16Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
17---
18 poppler/SignatureHandler.cc | 11 +++++++++--
19 1 file changed, 9 insertions(+), 2 deletions(-)
20
21diff --git a/poppler/SignatureHandler.cc b/poppler/SignatureHandler.cc
22index 9916300..5c478bc 100644
23--- a/poppler/SignatureHandler.cc
24+++ b/poppler/SignatureHandler.cc
25@@ -934,13 +934,20 @@ SignatureValidationStatus SignatureVerificationHandler::validateSignature()
26 This means it's not a detached type signature
27 so the digest is contained in SignedData->contentInfo
28 */
29- if (digest.len == content_info_data->len && memcmp(digest.data, content_info_data->data, digest.len) == 0) {
30+ if (digest.len != content_info_data->len || memcmp(digest.data, content_info_data->data, digest.len) != 0) {
31 return SIGNATURE_VALID;
32 } else {
33 return SIGNATURE_DIGEST_MISMATCH;
34 }
35
36- } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
37+ auto innerHashContext = HashContext::create(hashContext->getHashAlgorithm());
38+ innerHashContext->updateHash(content_info_data->data, content_info_data->len);
39+ digest_buffer = innerHashContext->endHash();
40+ digest.data = digest_buffer.data();
41+ digest.len = digest_buffer.size();
42+ }
43+
44+ if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
45 return NSS_SigTranslate(CMSSignerInfo->verificationStatus);
46 } else {
47 return SIGNATURE_VALID;
48--
492.40.0
diff --git a/meta-oe/recipes-support/poppler/poppler_23.04.0.bb b/meta-oe/recipes-support/poppler/poppler_23.04.0.bb
index 8760a0e17e..a8ab19064d 100644
--- a/meta-oe/recipes-support/poppler/poppler_23.04.0.bb
+++ b/meta-oe/recipes-support/poppler/poppler_23.04.0.bb
@@ -14,6 +14,8 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
14 file://CVE-2024-56378.patch \ 14 file://CVE-2024-56378.patch \
15 file://CVE-2025-32364.patch \ 15 file://CVE-2025-32364.patch \
16 file://CVE-2025-32365.patch \ 16 file://CVE-2025-32365.patch \
17 file://CVE-2025-43903-0001.patch \
18 file://CVE-2025-43903-0002.patch \
17 " 19 "
18SRC_URI[sha256sum] = "b6d893dc7dcd4138b9e9df59a13c59695e50e80dc5c2cacee0674670693951a1" 20SRC_URI[sha256sum] = "b6d893dc7dcd4138b9e9df59a13c59695e50e80dc5c2cacee0674670693951a1"
19 21