Hi Werner, Thank you for the clarification! I want to say that I didn't open this CVE, I only came across it and looked at the code. If you say it should be disputed, I'll follow your guidance on that.
However, since I was already looking at the code, I noticed this comment from commit 976e9d608 that I wanted to ask about: * To make sure that a truncated line triggers a bad * signature error we replace a removed LF by a FF or * append a FF. Right, this is a hack but better than a * global variable and way easier than to introduce a new * control packet or insert a line like "[truncated]\n" * into the filter output. The code inserts '\f' when lines are truncated, but I didn't find where '\f' is detected during verification to trigger the "bad signature error" mentioned in the comment. Is this intentionally not implemented, or is there something that I'm missing? Shalom-Salam, Shani On Thu, 15 Jan 2026 at 16:05, Werner Koch <[email protected]> wrote: > Hi! > > On Wed, 14 Jan 2026 14:28, Shani Yosef said: > > > I'm submitting a fix for CVE-2025-68972, a signature verification bypass > > in GnuPG 2.4.x documented at https://gpg.fail/formfeed. > > Please see https://gnupg.org/blog/20251226-cleartext-signatures.html > which explains why this (and most of the other reported bugs) are > invalid because this is wrong usage of a tool or social engineering. > > Never ever output arbitrary data to the terminal unless you can be sure > that all control characters are filtered out (e.g. using less(1)). > > > The attached patch (CVE-2025-68972.patch) adds form feed detection in the > > cleartext signature > > If you do that you should also remove all other control characters as > well as Unicode control characters. > > > Shalom-Salam, > > Werner > > > p.s. > Whoever created that CVE should go to Mitre and have it invalidated. > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein >
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
