From d837c65a8c51138600cd86f757a8c0c233aa98c1 Mon Sep 17 00:00:00 2001 From: Vincent Thiberville Date: Thu, 12 Oct 2023 23:11:41 +0200 Subject: [PATCH] fix verified field in pe module with multiple signatures Commit 1a85738 fixed one bug but introduced a new one. The `pe.is_signed` field is now properly set (true if any signature is valid), but the `signatures[i].verified` is now incorrectly set: instead of being set to whether this signature is verified, it is set to true if any previous signature is verified. Unfortunately, there is no test file that is triggering this behavior. This would require having a signature that is invalid appearing after a signature that is valid. --- libyara/modules/pe/pe.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c index a9c96d9c36..ef847dfe08 100644 --- a/libyara/modules/pe/pe.c +++ b/libyara/modules/pe/pe.c @@ -1750,19 +1750,18 @@ void _process_authenticode( if (!auth_array || !auth_array->count) return; - /* If any signature will be valid -> file is correctly signed */ bool signature_valid = false; for (size_t i = 0; i < auth_array->count; ++i) { const Authenticode* authenticode = auth_array->signatures[i]; + bool verified = authenticode->verify_flags == AUTHENTICODE_VFY_VALID; - signature_valid |= authenticode->verify_flags == AUTHENTICODE_VFY_VALID - ? true - : false; + /* If any signature is valid -> file is correctly signed */ + signature_valid |= verified; yr_set_integer( - signature_valid, pe->object, "signatures[%i].verified", *sig_count); + verified, pe->object, "signatures[%i].verified", *sig_count); yr_set_string( authenticode->digest_alg,