Check flevel bounds

Cisco-Talos · Dec 13, 2024 · 8fba069 · 8fba069
1 parent c1099f9
commit 8fba069
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/libclamav_rust/src/codesign.rs b/libclamav_rust/src/codesign.rs
@@ -22,7 +22,7 @@ use clam_sigutil::{
 
 use log::{debug, error, warn};
 
-use crate::{ffi_error, ffi_util::FFIError, validate_str_param};
+use crate::{ffi_error, ffi_util::FFIError, sys::cl_retflevel, validate_str_param};
 
 #[derive(Debug, thiserror::Error)]
 pub enum Error {
@@ -362,16 +362,27 @@ pub fn verify_signed_file(
         let data = line.as_bytes();
 
         match parse_from_cvd_with_meta(SigType::DigitalSignature, &data.into()) {
-            Ok((sig, _meta)) => {
+            Ok((sig, meta)) => {
                 let sig = sig.downcast::<DigitalSig>().unwrap();
 
-                sig.validate(&_meta).map_err(|e| {
+                sig.validate(&meta).map_err(|e| {
                     Error::CannotVerify(format!(
                         "{:?}:{}: Invalid signature: {}",
                         signature_file_path, index, e
                     ))
                 })?;
 
+                // verify the flevel bounds of this signature compared with the current flevel
+                let current_flevel = unsafe { cl_retflevel() };
+                let sig_flevel_range = meta.f_level.unwrap();
+                if !sig_flevel_range.contains(&current_flevel) {
+                    debug!(
+                        "{:?}:{}: Signature feature level range {:?} does not include current feature level {}",
+                        signature_file_path, index, sig_flevel_range, current_flevel
+                    );
+                    continue;
+                }
+
                 match *sig {
                     DigitalSig::Pkcs7(pkcs7) => {
                         // Try to verify with each certificate in the certs directory.