Change Details

//[ Note that this is also the parent ticket for a couple of other reports by the same source] // In GnuPG implementation, g10/armor.c, the function `parse_hash_header` has an argument LINE and **not** have length of line. When the header line input has is something like (expressed by C-escape for the NULL byte): ``` Hash: SHA256\x00.... ``` The string after the NULL byte is ignored and it won't included in the computation of the signature. This could be abused by an attacker and a user would see the string as if it's covered by the signature.

//[ Note that this is also the parent ticket for a couple of other reports by the same source] // In GnuPG implementation, g10/armor.c, the function `parse_hash_header` has an argument LINE and **not** have length of line. When the header line input has is something like (expressed by C-escape for the NULL byte): ``` Hash: SHA256\x00.... ``` The string after the NULL byte is ignored and it won't included in the computation of the signature. This could be abused by an attacker and a user would see the string as if it's covered by the signature. ------------------ Reported-by: 49016 and Liam (two-heart)

//[ Note that this is also the parent ticket for a couple of other reports by the same source] // In GnuPG implementation, g10/armor.c, the function `parse_hash_header` has an argument LINE and **not** have length of line. When the header line input has is something like (expressed by C-escape for the NULL byte): ``` Hash: SHA256\x00.... ``` The string after the NULL byte is ignored and it won't included in the computation of the signature. This could be abused by an attacker and a user would see the string as if it's covered by the signature. ------------------ Reported-by: 49016 and Liam (two-heart)