CVE-2025-52556: rfc3161-client has insufficient verification for timestamp response signatures
9.3
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| rfc3161-client | pip | <= 1.0.2 | 1.0.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability lies in the pkcs7_verify function within rust/src/lib.rs. The function was responsible for verifying the cryptographic signature of a timestamp response. The analysis of the patch 724a184f953e3f171f85cb223871172b41b0d0dc reveals that the original implementation performed an incomplete verification. It correctly checked that the certificate in the timestamp response chained up to a trusted root certificate, but it critically failed to verify that the signature on the timestamp response was actually created by the private key corresponding to the certificate. The patch replaces this flawed, manual verification logic with a call to p7.verify(), which is the correct and complete way to verify a PKCS#7 signature using the underlying OpenSSL library. This ensures that both the certificate chain and the signature itself are validated. The new test case test_verify_fails_invalid_tsr_signature added in the patch confirms this by attempting to verify a response with a known invalid signature, which now correctly fails.