new file mode 100644
@@ -0,0 +1,75 @@
+From 33672ca1b6670f7378e24f6d475438f7f5d86b05 Mon Sep 17 00:00:00 2001
+From: Sune Vuorela <sune@vuorela.dk>
+Date: Mon, 22 May 2023 19:53:08 +0000
+Subject: [PATCH] Fix crash with weird hashing used for signatures
+
+CVE: CVE-2025-43903
+Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/33672ca1b6670f7378e24f6d475438f7f5d86b05]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ poppler/SignatureHandler.cc | 15 ++++++++++++---
+ poppler/SignatureHandler.h | 7 ++++++-
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/poppler/SignatureHandler.cc b/poppler/SignatureHandler.cc
+index 9916300..f0b7006 100644
+--- a/poppler/SignatureHandler.cc
++++ b/poppler/SignatureHandler.cc
+@@ -768,11 +768,11 @@ SignatureVerificationHandler::SignatureVerificationHandler(std::vector<unsigned
+ SECItem usedAlgorithm = NSS_CMSSignedData_GetDigestAlgs(CMSSignedData)[0]->algorithm;
+ auto hashAlgorithm = SECOID_FindOIDTag(&usedAlgorithm);
+ HASH_HashType hashType = HASH_GetHashTypeByOidTag(hashAlgorithm);
+- hashContext = std::make_unique<HashContext>(ConvertHashTypeFromNss(hashType));
++ hashContext = HashContext::create(ConvertHashTypeFromNss(hashType));
+ }
+ }
+
+-SignatureSignHandler::SignatureSignHandler(const std::string &certNickname, HashAlgorithm digestAlgTag) : hashContext(std::make_unique<HashContext>(digestAlgTag)), signing_cert(nullptr)
++SignatureSignHandler::SignatureSignHandler(const std::string &certNickname, HashAlgorithm digestAlgTag) : hashContext(HashContext::create(digestAlgTag)), signing_cert(nullptr)
+ {
+ SignatureHandler::setNSSDir({});
+ signing_cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), certNickname.c_str());
+@@ -1232,7 +1232,16 @@ std::vector<unsigned char> HashContext::endHash()
+ return digestBuffer;
+ }
+
+-HashContext::HashContext(HashAlgorithm algorithm) : hash_context { HASH_Create(HASH_GetHashTypeByOidTag(ConvertHashAlgorithmToNss(algorithm))) }, digest_alg_tag(algorithm) { }
++HashContext::HashContext(HashAlgorithm algorithm, private_tag) : hash_context { HASH_Create(HASH_GetHashTypeByOidTag(ConvertHashAlgorithmToNss(algorithm))) }, digest_alg_tag(algorithm) { }
++
++std::unique_ptr<HashContext> HashContext::create(HashAlgorithm algorithm)
++{
++ auto ctx = std::make_unique<HashContext>(algorithm, private_tag {});
++ if (ctx->hash_context) {
++ return ctx;
++ }
++ return {};
++}
+
+ HashAlgorithm HashContext::getHashAlgorithm() const
+ {
+diff --git a/poppler/SignatureHandler.h b/poppler/SignatureHandler.h
+index c9fb575..f1b319f 100644
+--- a/poppler/SignatureHandler.h
++++ b/poppler/SignatureHandler.h
+@@ -51,12 +51,17 @@ static const int maxSupportedSignatureSize = 10000;
+
+ class HashContext
+ {
++ class private_tag
++ {
++ };
++
+ public:
+- explicit HashContext(HashAlgorithm algorithm);
++ HashContext(HashAlgorithm algorithm, private_tag);
+ void updateHash(unsigned char *data_block, int data_len);
+ std::vector<unsigned char> endHash();
+ HashAlgorithm getHashAlgorithm() const;
+ ~HashContext() = default;
++ static std::unique_ptr<HashContext> create(HashAlgorithm algorithm);
+
+ private:
+ struct HashDestroyer
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,49 @@
+From f1b9c830f145a0042e853d6462b2f9ca4016c669 Mon Sep 17 00:00:00 2001
+From: Juraj sarinay <juraj@sarinay.com>
+Date: Thu, 6 Mar 2025 02:02:56 +0100
+Subject: [PATCH] Properly verify adbe.pkcs7.sha1 signatures.
+
+For signatures with non-empty encapsulated content
+(typically adbe.pkcs7.sha1), we only compared hash values and
+never actually checked SignatureValue within SignerInfo.
+The bug introduced by c7c0207b1cfe49a4353d6cda93dbebef4508138f
+made trivial signature forgeries possible. Fix this by calling
+NSS_CMSSignerInfo_Verify() after the hash values compare equal.
+
+CVE: CVE-2025-43903
+Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/f1b9c830f145a0042e853d6462b2f9ca4016c669]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ poppler/SignatureHandler.cc | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/poppler/SignatureHandler.cc b/poppler/SignatureHandler.cc
+index 9916300..5c478bc 100644
+--- a/poppler/SignatureHandler.cc
++++ b/poppler/SignatureHandler.cc
+@@ -934,13 +934,20 @@ SignatureValidationStatus SignatureVerificationHandler::validateSignature()
+ This means it's not a detached type signature
+ so the digest is contained in SignedData->contentInfo
+ */
+- if (digest.len == content_info_data->len && memcmp(digest.data, content_info_data->data, digest.len) == 0) {
++ if (digest.len != content_info_data->len || memcmp(digest.data, content_info_data->data, digest.len) != 0) {
+ return SIGNATURE_VALID;
+ } else {
+ return SIGNATURE_DIGEST_MISMATCH;
+ }
+
+- } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
++ auto innerHashContext = HashContext::create(hashContext->getHashAlgorithm());
++ innerHashContext->updateHash(content_info_data->data, content_info_data->len);
++ digest_buffer = innerHashContext->endHash();
++ digest.data = digest_buffer.data();
++ digest.len = digest_buffer.size();
++ }
++
++ if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
+ return NSS_SigTranslate(CMSSignerInfo->verificationStatus);
+ } else {
+ return SIGNATURE_VALID;
+--
+2.40.0
@@ -14,6 +14,8 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
file://CVE-2024-56378.patch \
file://CVE-2025-32364.patch \
file://CVE-2025-32365.patch \
+ file://CVE-2025-43903-0001.patch \
+ file://CVE-2025-43903-0002.patch \
"
SRC_URI[sha256sum] = "b6d893dc7dcd4138b9e9df59a13c59695e50e80dc5c2cacee0674670693951a1"