From 7f58d55d667405f84cf4b5c93c3ad23737b33fb6 Mon Sep 17 00:00:00 2001 From: Vincent Thiberville Date: Thu, 12 Oct 2023 23:11:41 +0200 Subject: [PATCH] fix verified field in pe module with multiple signatures Commit 1a85738 fixed one bug but introduced a new one. The `pe.is_signed` field is now properly set (true if any signature is valid), but the `signatures[i].verified` is now incorrectly set: instead of being set to whether this signature is verified, it is set to true if any previous signature is verified. Unfortunately, there is no test file that is triggering this behavior. This would require having a signature that is invalid appearing after a signature that is valid. --- libyara/modules/pe/pe.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c index 9fa74fc928..ffcb1908eb 100644 --- a/libyara/modules/pe/pe.c +++ b/libyara/modules/pe/pe.c @@ -1750,19 +1750,18 @@ void _process_authenticode( if (!auth_array || !auth_array->count) return; - /* If any signature will be valid -> file is correctly signed */ bool signature_valid = false; for (size_t i = 0; i < auth_array->count; ++i) { const Authenticode* authenticode = auth_array->signatures[i]; + bool verified = authenticode->verify_flags == AUTHENTICODE_VFY_VALID; - signature_valid |= authenticode->verify_flags == AUTHENTICODE_VFY_VALID - ? true - : false; + /* If any signature is valid -> file is correctly signed */ + signature_valid |= verified; yr_set_integer( - signature_valid, pe->object, "signatures[%i].verified", *sig_count); + verified, pe->object, "signatures[%i].verified", *sig_count); yr_set_string( authenticode->digest_alg,