[PATCH] Fix CVE-2025-68972: Form feed detection in cleartext signatures
Shani Yosef
shani.yosef at echo.ai
Wed Jan 14 13:28:34 CET 2026
Hi Gnupg developers,
I'm submitting a fix for CVE-2025-68972, a signature verification bypass
in GnuPG 2.4.x documented at https://gpg.fail/formfeed.
*Summary*
The vulnerability allows an attacker to extend signed messages with
arbitrary data that still passes signature verification. This occurs
because commit 976e9d608 (Nov 2022) added form feed (\f) insertion for
truncated lines but did not add corresponding detection during signature
verification.
*Root Cause*
In g10/armor.c (line 784), truncated lines get a form feed character:
afx->buffer[afx->buffer_len++] = this_truncated? '\f':'\n';
However, g10/plaintext.c's handle_plaintext() function does not check
for '\f' during hash calculation, allowing the exploit described at
https://gpg.fail/formfeed.
*The Fix*
The attached patch (CVE-2025-68972.patch) adds form feed detection in the
cleartext signature
hash calculation state machine. When '\f' is encountered, the function
logs an error and fails with GPG_ERR_BAD_SIGNATURE.
I'm happy to provide additional information, make adjustments to the
patch, or answer any questions.
Best regards,
Shani Yosef
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260114/6123c9db/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2025-68972.patch
Type: application/octet-stream
Size: 967 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260114/6123c9db/attachment.obj>
More information about the Gnupg-devel
mailing list