[PATCH] Fix CVE-2025-68972: Form feed detection in cleartext signatures
Werner Koch
wk at gnupg.org
Thu Jan 15 15:09:28 CET 2026
Hi!
On Wed, 14 Jan 2026 14:28, Shani Yosef said:
> I'm submitting a fix for CVE-2025-68972, a signature verification bypass
> in GnuPG 2.4.x documented at https://gpg.fail/formfeed.
Please see https://gnupg.org/blog/20251226-cleartext-signatures.html
which explains why this (and most of the other reported bugs) are
invalid because this is wrong usage of a tool or social engineering.
Never ever output arbitrary data to the terminal unless you can be sure
that all control characters are filtered out (e.g. using less(1)).
> The attached patch (CVE-2025-68972.patch) adds form feed detection in the
> cleartext signature
If you do that you should also remove all other control characters as
well as Unicode control characters.
Shalom-Salam,
Werner
p.s.
Whoever created that CVE should go to Mitre and have it invalidated.
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260115/5364d005/attachment.sig>
More information about the Gnupg-devel
mailing list