Hi, Shani.
On 14/01/2026 12:28, Shani Yosef via Gnupg-devel wrote:
The attached patch (CVE-2025-68972.patch) adds form feed detection in
the cleartext signature
hash calculation state machine. When '\f' is encountered, the function
logs an error and fails with GPG_ERR_BAD_SIGNATURE.
What if the original document had a real '\f' in it? That would mean a
signature over it would never validate. Would it not be cleaner to stop
truncating and adding '\f', and instead just fail on overlong lines?
A
_______________________________________________
Gnupg-devel mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-devel
