[PATCH] Fix CVE-2025-68972: Form feed detection in cleartext signatures
Werner Koch
wk at gnupg.org
Thu Jan 15 17:11:28 CET 2026
On Thu, 15 Jan 2026 17:09, Shani Yosef said:
> The code inserts '\f' when lines are truncated, but I didn't
> find where '\f' is detected during verification to trigger the "bad
> signature
Well, if the truncated stuff is part of the signed text the \f chnages
the signed text and thus you will get a bad signature. If it was not
part of the signed text you would anyway not see it in the file created
with --output.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260115/ae1da542/attachment.sig>
More information about the Gnupg-devel
mailing list