microsoft · azurelinux-security · Apr 13, 2026 · Apr 14, 2026
@@ -0,0 +1,43 @@
+From 13656398658c7911199eef7f64b21c4cf6bc5fa2 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 13 Apr 2026 10:13:41 +0000
+Subject: [PATCH] Add keyUsage digitalSignature validation for signer
+ certificate
+
+Verify that:
+- extendedKeyUsage, if present, permits codeSigning (RFC 5280 section 4.2.1.12)
+- keyUsage, if present, permits digitalSignature (RFC 5280 section 4.2.1.3)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://patch-diff.githubusercontent.com/raw/mtrojnar/osslsigncode/pull/477.patch
+---
+ osslsigncode.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/osslsigncode.c b/osslsigncode.c
+index 320980f..b1fcd7b 100644
+--- a/osslsigncode.c
++++ b/osslsigncode.c
+@@ -1718,9 +1718,17 @@ static int verify_authenticode(FILE_FORMAT_CTX *ctx, PKCS7 *p7, time_t time, X50
+         if (!crlok)
+             goto out;
+     }
+-    /* check extended key usage flag XKU_CODE_SIGN */
++    /*
++     * Verify that:
++     * - extendedKeyUsage, if present, permits codeSigning (RFC 5280 section 4.2.1.12)
++     * - keyUsage, if present, permits digitalSignature (RFC 5280 section 4.2.1.3)
++     */
+     if (!(X509_get_extended_key_usage(signer) & XKU_CODE_SIGN)) {
+-        printf("Unsupported Signer's certificate purpose XKU_CODE_SIGN\n");
++        fprintf(stderr, "Signer certificate rejected: extendedKeyUsage does not permit codeSigning\n");
++        goto out;
++    }
++    if (!(X509_get_key_usage(signer) & X509v3_KU_DIGITAL_SIGNATURE)) {
++        fprintf(stderr, "Signer certificate rejected: keyUsage does not permit digitalSignature\n");
+         goto out;
+     }
+
+-- 
+2.45.4
+
@@ -0,0 +1,138 @@
+From 05b4da29d5a6376da6542406839deb0888d08f27 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 13 Apr 2026 10:09:16 +0000
+Subject: [PATCH] Fixed buffer overflow while extracting msg digest
+
+Upstream Patch reference: https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68.patch
+---
+ cab.c          |  6 +++---
+ helpers.c      | 27 +++++++++++++++++++++++++++
+ helpers.h      |  2 ++
+ msi.c          |  6 +++---
+ osslsigncode.c |  7 +++----
+ pe.c           |  6 +++---
+ 6 files changed, 41 insertions(+), 13 deletions(-)
+
+diff --git a/cab.c b/cab.c
+index cc8e745..f6547dd 100644
+--- a/cab.c
++++ b/cab.c
+@@ -330,9 +330,9 @@ static int cab_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
+         const u_char *p = content_val->data;
+         SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
+         if (idc) {
+-            if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
+-                mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
+-                memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length);
++            if (spc_extract_digest_safe(idc, mdbuf, &mdtype) < 0) {
++                SpcIndirectDataContent_free(idc);
++                return 0; /* FAILED */
+             }
+             SpcIndirectDataContent_free(idc);
+         }
+diff --git a/helpers.c b/helpers.c
+index 184fd29..b42de60 100644
+--- a/helpers.c
++++ b/helpers.c
+@@ -503,6 +503,33 @@ SpcLink *spc_link_obsolete_get(void)
+     return link;
+ }
+
++/*
++ * Safely extract digest from SpcIndirectDataContent
++ * [in] idc: parsed SpcIndirectDataContent
++ * [out] mdbuf: output buffer (must be EVP_MAX_MD_SIZE bytes)
++ * [out] mdtype: digest algorithm's NID
++ * [returns] -1 on error or digest length on success
++ */
++int spc_extract_digest_safe(SpcIndirectDataContent *idc,
++    u_char *mdbuf, int *mdtype)
++{
++    int digest_len;
++
++    if (!idc || !idc->messageDigest || !idc->messageDigest->digest ||
++            !idc->messageDigest->digestAlgorithm) {
++        fprintf(stderr, "Missing digest data\n");
++        return -1;
++    }
++    digest_len = idc->messageDigest->digest->length;
++    if (digest_len <= 0 || digest_len > EVP_MAX_MD_SIZE) {
++        fprintf(stderr, "Invalid digest length: %d\n", digest_len);
++        return -1;
++    }
++    memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)digest_len);
++    *mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
++    return digest_len;
++}
++
+ /*
+  * Retrieve a decoded PKCS#7 structure
+  * [in] indata: mapped file
+diff --git a/helpers.h b/helpers.h
+index fa0c13c..d5c40df 100644
+--- a/helpers.h
++++ b/helpers.h
+@@ -21,6 +21,8 @@ void print_hash(const char *descript1, const char *descript2, const u_char *hash
+ int is_content_type(PKCS7 *p7, const char *objid);
+ int pkcs7_set_data_content(PKCS7 *sig, BIO *hash, FILE_FORMAT_CTX *ctx);
+ SpcLink *spc_link_obsolete_get(void);
++int spc_extract_digest_safe(SpcIndirectDataContent *idc,
++    u_char *mdbuf, int *mdtype);
+ PKCS7 *pkcs7_get(char *indata, uint32_t sigpos, uint32_t siglen);
+ int compare_digests(u_char *mdbuf, u_char *cmdbuf, int mdtype);
+
+diff --git a/msi.c b/msi.c
+index beadfc9..73c1f57 100644
+--- a/msi.c
++++ b/msi.c
+@@ -470,9 +470,9 @@ static int msi_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
+         const u_char *p = content_val->data;
+         SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
+         if (idc) {
+-            if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
+-                mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
+-                memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length);
++            if (spc_extract_digest_safe(idc, mdbuf, &mdtype) < 0) {
++                SpcIndirectDataContent_free(idc);
++                return 0; /* FAILED */
+             }
+             SpcIndirectDataContent_free(idc);
+         }
+diff --git a/osslsigncode.c b/osslsigncode.c
+index 6960fd8..f29a902 100644
+--- a/osslsigncode.c
++++ b/osslsigncode.c
+@@ -2228,10 +2228,9 @@ static int verify_member(FILE_FORMAT_CTX *ctx, CatalogAuthAttr *attribute)
+         ASN1_TYPE_free(content);
+         return 1; /* FAILED */
+     }
+-    if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
+-        /* get a digest algorithm a message digest of the file from the content */
+-        mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
+-        memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length);
++    if (spc_extract_digest_safe(idc, mdbuf, &mdtype) < 0) {
++        SpcIndirectDataContent_free(idc);
++        return 1; /* FAILED */
+     }
+     ASN1_TYPE_free(content);
+     if (mdtype == -1) {
+diff --git a/pe.c b/pe.c
+index c93daa6..d55bdf5 100644
+--- a/pe.c
++++ b/pe.c
+@@ -320,9 +320,9 @@ static int pe_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
+                 SpcIndirectDataContent_free(idc);
+                 return 0; /* FAILED */
+             }
+-            if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
+-                mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
+-                memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length);
++            if (spc_extract_digest_safe(idc, mdbuf, &mdtype) < 0) {
++                SpcIndirectDataContent_free(idc);
++                return 0; /* FAILED */
+             }
+             SpcIndirectDataContent_free(idc);
+         }
+-- 
+2.43.0
+
@@ -0,0 +1,54 @@
+From 2a5409b7c4b6c6fad2b093531e8fea6cf08e1568 Mon Sep 17 00:00:00 2001
+From: olszomal <Malgorzata.Olszowka@stunnel.org>
+Date: Mon, 9 Feb 2026 14:18:06 +0100
+Subject: [PATCH] Fix header bounds validation in PE page hash calculation
+
+Upstream Patch reference: https://github.com/mtrojnar/osslsigncode/commit/2a5409b7c4b6c6fad2b093531e8fea6cf08e1568.patch
+---
+ pe.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/pe.c b/pe.c
+index d55bdf5..9b70b28 100644
+--- a/pe.c
++++ b/pe.c
+@@ -921,11 +921,12 @@ static u_char *pe_page_hash_calc(int *rphlen, FILE_FORMAT_CTX *ctx, int phtype)
+     uint32_t alignment, pagesize, hdrsize;
+     uint32_t rs, ro, l, lastpos = 0;
+     int pphlen, phlen, i, pi = 1;
+-    size_t written;
++    size_t written, off;
+     u_char *res, *zeroes;
+     char *sections;
+     const EVP_MD *md = EVP_get_digestbynid(phtype);
+     BIO *bhash;
++    uint32_t filebound;
+
+     /* NumberOfSections indicates the size of the section table,
+      * which immediately follows the headers, can be up to 65535 under Vista and later */
+@@ -959,6 +960,12 @@ static u_char *pe_page_hash_calc(int *rphlen, FILE_FORMAT_CTX *ctx, int phtype)
+         printf("Corrupted headers size: 0x%08X\n", hdrsize);
+         return NULL; /* FAILED */
+     }
++    /* Validate header bounds before performing BIO writes */
++    off = ctx->pe_ctx->header_size + 160 + (size_t)ctx->pe_ctx->pe32plus * 16;
++    if (hdrsize < off || hdrsize > filebound) {
++        printf("Corrupted headers size: 0x%08X\n", hdrsize);
++        return NULL;  /* FAILED: header too small */
++    }
+     /* SizeOfOptionalHeader is the size of the optional header, which is
+      * required for executable files, but for object files should be zero,
+      * and can't be bigger than the file */
+@@ -970,6 +977,9 @@ static u_char *pe_page_hash_calc(int *rphlen, FILE_FORMAT_CTX *ctx, int phtype)
+     pphlen = 4 + EVP_MD_size(md);
+     phlen = pphlen * (3 + (int)nsections + (int)(ctx->pe_ctx->fileend / pagesize));
+
++    /* Determine the file boundary for section data validation */
++    filebound = ctx->pe_ctx->sigpos ? ctx->pe_ctx->sigpos : ctx->pe_ctx->fileend;
++
+     bhash = BIO_new(BIO_f_md());
+     if (!BIO_set_md(bhash, md)) {
+         printf("Unable to set the message digest of BIO\n");
+-- 
+2.43.0
+