They presented critical parser flaws in all major PGP implementations, not just GNU PGP, also sequoia, minisign and age. But gpg made the worst impression to us. wontfix

▲

pornel 11 hours ago | parent | next [-]

Sequoia is mentioned in only one vulnerability for supporting lines much longer than gpg. gpg silently truncates and discards long base64 lines and sequoia does not. So the vulnerability is in ability to feed more data to sequoia which doesn't have the silent data loss of gpg.

In all other cases they only used sequoia as a tool to build data for demonstrating gpg vulnerabilities.

	▲	tptacek 10 hours ago \| parent [-]
		The vulnerability that opens the talk, where they walk through verifying a Linux ISO's signature and hash and then boot into a malicious image, impacts both GnuPG and Sequoia.

▲

akerl_ 19 hours ago | parent | prev [-]

Since when are age or minisign PGP implementations?

	▲	pornel 11 hours ago \| parent \| next [-]
		They're not, but the flaws they found are independent of PGP. Mainly invalid handling of strings in C and allowing untrusted ANSI codes in terminal output.
	▲	some_furry 17 hours ago \| parent \| prev [-]
		The talk title includes "& Friends", for what it's worth.