-
Notifications
You must be signed in to change notification settings - Fork 614
Expand file tree
/
Copy pathCVE-2025-70888.patch
More file actions
43 lines (38 loc) · 1.68 KB
/
CVE-2025-70888.patch
File metadata and controls
43 lines (38 loc) · 1.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
From 13656398658c7911199eef7f64b21c4cf6bc5fa2 Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Mon, 13 Apr 2026 10:13:41 +0000
Subject: [PATCH] Add keyUsage digitalSignature validation for signer
certificate
Verify that:
- extendedKeyUsage, if present, permits codeSigning (RFC 5280 section 4.2.1.12)
- keyUsage, if present, permits digitalSignature (RFC 5280 section 4.2.1.3)
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://patch-diff.githubusercontent.com/raw/mtrojnar/osslsigncode/pull/477.patch
---
osslsigncode.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/osslsigncode.c b/osslsigncode.c
index 320980f..b1fcd7b 100644
--- a/osslsigncode.c
+++ b/osslsigncode.c
@@ -1718,9 +1718,17 @@ static int verify_authenticode(FILE_FORMAT_CTX *ctx, PKCS7 *p7, time_t time, X50
if (!crlok)
goto out;
}
- /* check extended key usage flag XKU_CODE_SIGN */
+ /*
+ * Verify that:
+ * - extendedKeyUsage, if present, permits codeSigning (RFC 5280 section 4.2.1.12)
+ * - keyUsage, if present, permits digitalSignature (RFC 5280 section 4.2.1.3)
+ */
if (!(X509_get_extended_key_usage(signer) & XKU_CODE_SIGN)) {
- printf("Unsupported Signer's certificate purpose XKU_CODE_SIGN\n");
+ fprintf(stderr, "Signer certificate rejected: extendedKeyUsage does not permit codeSigning\n");
+ goto out;
+ }
+ if (!(X509_get_key_usage(signer) & X509v3_KU_DIGITAL_SIGNATURE)) {
+ fprintf(stderr, "Signer certificate rejected: keyUsage does not permit digitalSignature\n");
goto out;
}
--
2.45.4