At the 39th Chaos Communication Congress, security researchers Lexi Groves, aka 49016, and Liam Wachter demonstrated a whole series of vulnerabilities in various tools for encrypting and signing data. In total, the researchers found 14 vulnerabilities in four different programs. All discovered problems are implementation errors, meaning they do not affect the fundamental security of the methods used, but rather their concrete – and indeed flawed – implementation in the respective tool.
The focus of the presentation was the popular PGP implementation GnuPG, whose code is generally considered to be well-established. Nevertheless, the security researchers found numerous vulnerabilities, including typical errors when processing C strings through injected null bytes. This allowed, among other things, signatures to be falsely displayed as valid, or it was possible to prepend text to signed data that was neither captured nor exposed as a modification by the signature.
The issues found in GnuPG cover a broad spectrum of causes: attackers could exploit clearly erroneous code, provoke misleading output that tempts users into fatal actions. Furthermore, they could inject ANSI sequences that, while correctly processed by GnuPG, lead to virtually arbitrary output in the victim's terminal. The latter can be exploited to give users malicious instructions that only appear to come from GnuPG, or to overwrite legitimate security queries from GnuPG with harmless follow-up questions, causing users to unintentionally approve dangerous actions.
If someone ever invents a time machine, they should travel back in time and dope-slap Dennis Ritchie into NOT making C strings null-terminated.
So many security violations and malware can be traced back to that one decision.
Edit: Curl dude abides: https://daniel.haxx.se/blog/2025/12/29/no-strcpy-either/
How should strings be terminated? Should they always be a tuple of length in bytes and data?
Yes, always a tuple.
You mean, you'd make Dennis actually implement a string type.
You're assuming these were previously unknown, where it's probably more likely they've been found but been exploited by government agencies for awhile and just not disclosed.