Critical Vulnerability Information Vulnerability Title ttyrec files are not signed after encryption by the osh-encrypt-rsync script Severity Rating: Moderate (4.4/10) Affected Versions Affected Versions: = 3.22.00 Description Summary: - Session recording ttyrec files may be processed by the provided osh-encrypt-rsync script, which is used for periodic rotation, encryption, signing, copying, and optionally moving files to remote storage. At runtime, the script correctly rotates and encrypts files, but silently fails to sign them even when signing is requested. Details: - When configured to sign files, the script tests the validity of the GPG key and its ability to correctly sign files, but fails to actually sign the files during execution. Impact: - Files are not signed, even when signing is intended, thus failing to meet the expectations outlined in the official documentation: - Public keys are used to verify signatures and prove non-repudiation and tamper-proof integrity. - If unauthorized access to ttyrec files is gained, and an attacker has sufficient permissions to modify them and access the public GPG key used for encryption, they can tamper with these files without being easily detected due to the lack of GPG signatures. CVSS v3 Base Metrics Attack Vector: Local Attack Complexity: Low Required Privileges: High User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None CVE ID CVE-2025-59339 Weakness No CWEs Acknowledgments Reporter: siv0 Fix Verifier: deathiop Fix Reviewer: speed47