[PATCH] Fix CVE-2025-68972: Form feed detection in cleartext signatures
Andrew Gallagher
andrewg at andrewg.com
Thu Jan 15 10:57:53 CET 2026
Hi, Shani.
On 14/01/2026 12:28, Shani Yosef via Gnupg-devel wrote:
> The attached patch (CVE-2025-68972.patch) adds form feed detection in
> the cleartext signature
> hash calculation state machine. When '\f' is encountered, the function
> logs an error and fails with GPG_ERR_BAD_SIGNATURE.
What if the original document had a real '\f' in it? That would mean a
signature over it would never validate. Would it not be cleaner to stop
truncating and adding '\f', and instead just fail on overlong lines?
A
More information about the Gnupg-devel
mailing list