Description

A stack buffer overflow vulnerability exists in osslsigncode version 2.11 and earlier in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer.

This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state.

This report should not claim that all file-format verification handlers are affected. In particular, CAT verification does not trigger this specific bug in cat_verify_digests(), which returns success without parsing the digest. CAT code in the same release contains a similar unsafe digest copy in a different code path used for displaying catalog content, but that is distinct from the verification vulnerability described here.

Impact

• Arbitrary Code Execution: Stack corruption during verification may enable code execution in the context of the user running osslsigncode
• Denial of Service: Application crash when processing a malicious signed file

The attack requires user interaction (verifying a malicious signed file), but no special privileges are needed.

Notes

A proof-of-concept trigger is reported to exist. The upstream 2.12 release describes this issue as a critical memory corruption vulnerability that can lead to arbitrary code execution during verification of untrusted signed files.

Fixed in version 2.12: https://github.com/mtrojnar/osslsigncode/releases/tag/2.12