CVE-2025-43903: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-43903 is a security vulnerability discovered in Poppler before version 25.04.0. The vulnerability exists in the NSSCryptoSignBackend.cc component where the software fails to properly verify adbe.pkcs7.sha1 signatures on documents, which could lead to potential signature forgeries (NVD, Red Hat).

The vulnerability stems from a flaw in the signature verification process where for signatures with non-empty encapsulated content, typically adbe.pkcs7.sha1, the system only compared hash values and never actually checked SignatureValue within SignerInfo. This issue was introduced by a previous commit and made trivial signature forgeries possible. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N (Red Hat).

The vulnerability allows attackers to potentially forge document signatures by exploiting the improper verification of adbe.pkcs7.sha1 signatures. This could lead to document authenticity being compromised, as the system fails to properly validate the SignatureValue within SignerInfo (Gitlab Commit).

The vulnerability has been fixed in Poppler version 25.04.0. The fix involves properly implementing the signature verification process by calling NSSCMSSignerInfoVerify() after the hash values compare equal (Gitlab Commit).