Hi! On Wed, 14 Jan 2026 14:28, Shani Yosef said:
> I'm submitting a fix for CVE-2025-68972, a signature verification bypass > in GnuPG 2.4.x documented at https://gpg.fail/formfeed. Please see https://gnupg.org/blog/20251226-cleartext-signatures.html which explains why this (and most of the other reported bugs) are invalid because this is wrong usage of a tool or social engineering. Never ever output arbitrary data to the terminal unless you can be sure that all control characters are filtered out (e.g. using less(1)). > The attached patch (CVE-2025-68972.patch) adds form feed detection in the > cleartext signature If you do that you should also remove all other control characters as well as Unicode control characters. Shalom-Salam, Werner p.s. Whoever created that CVE should go to Mitre and have it invalidated. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
