[PATCH] Fix CVE-2025-68972: Form feed detection in cleartext signatures

Shani Yosef shani.yosef at echo.ai
Thu Jan 15 16:09:10 CET 2026 

Hi Werner,

Thank you for the clarification!
I want to say that I didn't open this CVE, I only came across it and looked
at the code. If you say it should be
disputed, I'll follow your guidance on that.

However, since I was already looking at the code, I noticed this comment
from commit 976e9d608
that I wanted to ask about:
* To make sure that a truncated line triggers a bad
* signature error we replace a removed LF by a FF or
* append a FF. Right, this is a hack but better than a
* global variable and way easier than to introduce a new
* control packet or insert a line like "[truncated]\n"
* into the filter output.

The code inserts '\f' when lines are truncated, but I didn't
find where '\f' is detected during verification to trigger the "bad
signature
error" mentioned in the comment.

Is this intentionally not implemented, or is there something that I'm
missing?

Shalom-Salam,
Shani

On Thu, 15 Jan 2026 at 16:05, Werner Koch <wk at gnupg.org> wrote:

> Hi!
>
> On Wed, 14 Jan 2026 14:28, Shani Yosef said:
>
> > I'm submitting a fix for CVE-2025-68972, a signature verification bypass
> > in GnuPG 2.4.x documented at https://gpg.fail/formfeed.
>
> Please see https://gnupg.org/blog/20251226-cleartext-signatures.html
> which explains why this (and most of the other reported bugs) are
> invalid because this is wrong usage of a tool or social engineering.
>
> Never ever output arbitrary data to the terminal unless you can be sure
> that all control characters are filtered out (e.g. using less(1)).
>
> > The attached patch (CVE-2025-68972.patch) adds form feed detection in the
> > cleartext signature
>
> If you do that you should also remove all other control characters as
> well as Unicode control characters.
>
>
> Shalom-Salam,
>
>    Werner
>
>
> p.s.
> Whoever created that CVE should go to Mitre and have it invalidated.
>
> --
> The pioneers of a warless world are the youth that
> refuse military service.             - A. Einstein
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260115/09243b1d/attachment-0001.html>

More information about the Gnupg-devel mailing list