A talk from the hacker conference 39C3 about security vulnerabilities found in GPG (GnuPG) and similar tools.
They showed 14 vulnerabilities (9 of them are 0-days) 🤯.
Their website: https://gpg.fail/
(in English)
You must log in or # to comment.
At 09:10 - they demonstrate injecting text that does not break signatures - by appending text after manually inserting null terminator.
- Is null terminator a character that can be inserted using any enhanced text editor? How do I do that in vim?
- They go on to say that \v\r is not a new line - but actually I thought that Unix style of text documents end a line that way (\r)?
“Similar tools” include
- GnuPG
- Sequoia PGP
- age
- minisign
age being particularly funny.
