-
Notifications
You must be signed in to change notification settings - Fork 614
Expand file tree
/
Copy pathCVE-2026-39853.patch
More file actions
138 lines (133 loc) · 5.65 KB
/
CVE-2026-39853.patch
File metadata and controls
138 lines (133 loc) · 5.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
From 05b4da29d5a6376da6542406839deb0888d08f27 Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Mon, 13 Apr 2026 10:09:16 +0000
Subject: [PATCH] Fixed buffer overflow while extracting msg digest
Upstream Patch reference: https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68.patch
---
cab.c | 6 +++---
helpers.c | 27 +++++++++++++++++++++++++++
helpers.h | 2 ++
msi.c | 6 +++---
osslsigncode.c | 7 +++----
pe.c | 6 +++---
6 files changed, 41 insertions(+), 13 deletions(-)
diff --git a/cab.c b/cab.c
index cc8e745..f6547dd 100644
--- a/cab.c
+++ b/cab.c
@@ -330,9 +330,9 @@ static int cab_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
const u_char *p = content_val->data;
SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
if (idc) {
- if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
- mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
- memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length);
+ if (spc_extract_digest_safe(idc, mdbuf, &mdtype) < 0) {
+ SpcIndirectDataContent_free(idc);
+ return 0; /* FAILED */
}
SpcIndirectDataContent_free(idc);
}
diff --git a/helpers.c b/helpers.c
index 184fd29..b42de60 100644
--- a/helpers.c
+++ b/helpers.c
@@ -503,6 +503,33 @@ SpcLink *spc_link_obsolete_get(void)
return link;
}
+/*
+ * Safely extract digest from SpcIndirectDataContent
+ * [in] idc: parsed SpcIndirectDataContent
+ * [out] mdbuf: output buffer (must be EVP_MAX_MD_SIZE bytes)
+ * [out] mdtype: digest algorithm's NID
+ * [returns] -1 on error or digest length on success
+ */
+int spc_extract_digest_safe(SpcIndirectDataContent *idc,
+ u_char *mdbuf, int *mdtype)
+{
+ int digest_len;
+
+ if (!idc || !idc->messageDigest || !idc->messageDigest->digest ||
+ !idc->messageDigest->digestAlgorithm) {
+ fprintf(stderr, "Missing digest data\n");
+ return -1;
+ }
+ digest_len = idc->messageDigest->digest->length;
+ if (digest_len <= 0 || digest_len > EVP_MAX_MD_SIZE) {
+ fprintf(stderr, "Invalid digest length: %d\n", digest_len);
+ return -1;
+ }
+ memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)digest_len);
+ *mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
+ return digest_len;
+}
+
/*
* Retrieve a decoded PKCS#7 structure
* [in] indata: mapped file
diff --git a/helpers.h b/helpers.h
index fa0c13c..d5c40df 100644
--- a/helpers.h
+++ b/helpers.h
@@ -21,6 +21,8 @@ void print_hash(const char *descript1, const char *descript2, const u_char *hash
int is_content_type(PKCS7 *p7, const char *objid);
int pkcs7_set_data_content(PKCS7 *sig, BIO *hash, FILE_FORMAT_CTX *ctx);
SpcLink *spc_link_obsolete_get(void);
+int spc_extract_digest_safe(SpcIndirectDataContent *idc,
+ u_char *mdbuf, int *mdtype);
PKCS7 *pkcs7_get(char *indata, uint32_t sigpos, uint32_t siglen);
int compare_digests(u_char *mdbuf, u_char *cmdbuf, int mdtype);
diff --git a/msi.c b/msi.c
index beadfc9..73c1f57 100644
--- a/msi.c
+++ b/msi.c
@@ -470,9 +470,9 @@ static int msi_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
const u_char *p = content_val->data;
SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
if (idc) {
- if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
- mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
- memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length);
+ if (spc_extract_digest_safe(idc, mdbuf, &mdtype) < 0) {
+ SpcIndirectDataContent_free(idc);
+ return 0; /* FAILED */
}
SpcIndirectDataContent_free(idc);
}
diff --git a/osslsigncode.c b/osslsigncode.c
index 6960fd8..f29a902 100644
--- a/osslsigncode.c
+++ b/osslsigncode.c
@@ -2228,10 +2228,9 @@ static int verify_member(FILE_FORMAT_CTX *ctx, CatalogAuthAttr *attribute)
ASN1_TYPE_free(content);
return 1; /* FAILED */
}
- if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
- /* get a digest algorithm a message digest of the file from the content */
- mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
- memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length);
+ if (spc_extract_digest_safe(idc, mdbuf, &mdtype) < 0) {
+ SpcIndirectDataContent_free(idc);
+ return 1; /* FAILED */
}
ASN1_TYPE_free(content);
if (mdtype == -1) {
diff --git a/pe.c b/pe.c
index c93daa6..d55bdf5 100644
--- a/pe.c
+++ b/pe.c
@@ -320,9 +320,9 @@ static int pe_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
SpcIndirectDataContent_free(idc);
return 0; /* FAILED */
}
- if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
- mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
- memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length);
+ if (spc_extract_digest_safe(idc, mdbuf, &mdtype) < 0) {
+ SpcIndirectDataContent_free(idc);
+ return 0; /* FAILED */
}
SpcIndirectDataContent_free(idc);
}
--
2.43.0