[PATCH] Fix CVE-2025-68972: Form feed detection in cleartext signatures
Shani Yosef
shani.yosef at echo.ai
Sun Jan 18 13:42:47 CET 2026
Hi Werner,
Thanks for the clarification.
You mentioned whoever created it should invalidate. Since you're
the maintainer, it makes the most sense for you to dispute it directly
(https://cveform.mitre.org). Your dispute would carry the most weight.
Shalom-Salam,
Shani
On Thu, 15 Jan 2026 at 18:07, Werner Koch <wk at gnupg.org> wrote:
> On Thu, 15 Jan 2026 17:09, Shani Yosef said:
>
> > The code inserts '\f' when lines are truncated, but I didn't
> > find where '\f' is detected during verification to trigger the "bad
> > signature
>
> Well, if the truncated stuff is part of the signed text the \f chnages
> the signed text and thus you will get a bad signature. If it was not
> part of the signed text you would anyway not see it in the file created
> with --output.
>
>
> Shalom-Salam,
>
> Werner
>
>
> --
> The pioneers of a warless world are the youth that
> refuse military service. - A. Einstein
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260118/474e0b3d/attachment.html>
More information about the Gnupg-devel
mailing list