Bug 2407255 (CVE-2025-58188)

Summary: CVE-2025-58188 crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, adistefa, akostadi, akoudelk, alcohan, alebedev, alizardo, amasferr, amctagga, anjoseph, anpicker, ansmith, anthomas, aoconnor, asatyam, bbrownin, bdettelb, bniver, bparees, brainfor, carogers, chfoley, ckandaga, cmah, crizzo, debarshir, dhanak, diagrawa, dmayorov, doconnor, drosa, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, fdeutsch, flucifre, ggainey, ggrzybek, gmeno, gparvin, groman, haoli, hasun, hkataria, ibolton, jajackso, jbalunas, jburrell, jcammara, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jolong, jowilson, jprabhak, jpretori, jraez, jschluet, juwatts, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, lphiri, lsharar, lsvaty, lucarval, mabashia, manissin, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhulan, mnovotny, mrunge, mwringe, nboldt, ngough, nmoumoul, nyancey, oaljalju, ometelka, oramraz, osousa, owatkins, pahickey, pantinor, parichar, pbraun, pcreech, peholase, pgaikwad, pgrist, pjindal, psrna, ptisnovs, pvasanth, rchan, rfreiman, rgodfrey, rhaigner, rjohnson, rojacob, sabiswas, sakbas, sausingh, sdawley, sfeifer, shvarugh, simaishi, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, swoodman, tasato, teagle, tfister, thason, thavo, tmalecek, tsedmik, tzivkovi, vereddy, veshanka, vimartin, wenshen, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A denial of service vector has been discovered in the golang crypto/x509 module. An attacker could craft an intermediate X.509 certificate containing a DSA public key and can crash a remote host with an unauthenticated call to any endpoint that verifies the certificate chain.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2025-11-01 12:13:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2410801, 2410802, 2410803, 2410806, 2410808, 2410810, 2410811, 2410812, 2410813, 2410814, 2410815, 2410816, 2410818, 2410819, 2410821, 2410822, 2410825, 2410831, 2410832, 2410833, 2410834, 2410836, 2410839, 2410840, 2410844, 2410846, 2410850, 2410853, 2410854, 2410855, 2410860, 2410862, 2410863, 2410864, 2410867, 2410868, 2410869, 2410873, 2410875, 2410876, 2410877, 2410878, 2410879, 2410881, 2410884, 2410885, 2410886, 2410887, 2410894, 2410897, 2410898, 2410899, 2410900, 2410902, 2410903, 2411170, 2411171, 2411173, 2411174, 2411176, 2411178, 2411179, 2411180, 2411181, 2411182, 2411183, 2411185, 2411186, 2411191, 2411192, 2411193, 2411194, 2411199, 2411200, 2411201, 2411202, 2411203, 2411204, 2411205, 2411206, 2411207, 2411209, 2411210, 2411211, 2411213, 2411214, 2411215, 2411216, 2411219, 2411220, 2411221, 2411223, 2411224, 2411225, 2411226, 2411228, 2411229, 2411230, 2411231, 2411232, 2411233, 2411235, 2411236, 2411237, 2411238, 2411239, 2411240, 2411241, 2411242, 2411243, 2411244, 2411245, 2411246, 2411247, 2411250, 2411251, 2411252, 2411253, 2411254, 2411255, 2411256, 2411257, 2411258, 2411259, 2411260, 2411261, 2411262, 2411264, 2411265, 2411266, 2411267, 2411268, 2411269, 2411270, 2411271, 2411272, 2411273, 2411274, 2411276, 2411277, 2411278, 2411279, 2411280, 2411281, 2411282, 2411283, 2411284, 2411285, 2411286, 2411287, 2411288, 2411289, 2411291, 2411292, 2411293, 2411294, 2411295, 2411296, 2411300, 2411301, 2411302, 2411303, 2411304, 2411305, 2411306, 2411307, 2411308, 2411309, 2411310, 2411311, 2411312, 2411313, 2411314, 2411315, 2411316, 2411317, 2411318, 2411319, 2411321, 2411323, 2411324, 2411325, 2411326, 2411327, 2411328, 2411329, 2411330, 2411331, 2411332, 2411333, 2411334, 2411335, 2411336, 2411337, 2411338, 2411339, 2411340, 2411341, 2411342, 2411343, 2411350, 2411352, 2411353, 2411354, 2411355, 2411356, 2411358, 2411360, 2411361, 2411362, 2411364, 2411365, 2411366, 2411370, 2411371, 2411372, 2411373, 2411374, 2411380, 2411381, 2411382, 2411383, 2411386, 2411389, 2411391, 2411392, 2411393, 2411394, 2411397, 2411399, 2411400, 2411403, 2411405, 2411407, 2411408, 2411411, 2411414, 2411415, 2411417, 2411418, 2411419, 2411420, 2411421, 2411422, 2411424, 2411425, 2411426, 2411429, 2411432, 2411434, 2411435, 2411436, 2411438, 2411440, 2411441, 2411443, 2411447, 2411448, 2411449, 2411451, 2411456, 2411457, 2411458, 2411462, 2411463, 2411464, 2411465, 2411466, 2411467, 2411468, 2411469, 2411470, 2411471, 2411473, 2411474, 2411475, 2411480, 2411481, 2411484, 2411485, 2411487, 2411489, 2411490, 2411491, 2411494, 2411495, 2411496, 2411499, 2411500, 2411501, 2411502, 2411504, 2411505, 2411506, 2411507, 2411508, 2411510, 2411511, 2411512, 2411513, 2411514, 2411515, 2411516, 2411517, 2411518, 2411519, 2411520, 2411521, 2411523, 2411524, 2411525, 2411526, 2411527, 2411528, 2411529, 2411530, 2411531, 2411532, 2411533, 2411534, 2411535, 2411537, 2411538, 2411539, 2411540, 2411541, 2411542, 2411543, 2411544, 2411545, 2411547, 2411548, 2411549, 2411550, 2411551, 2411552, 2411553, 2411554, 2411555, 2411556, 2411558, 2411559, 2411560, 2411561, 2411562, 2411563, 2411567, 2411568, 2411569, 2411570, 2411571, 2411572, 2411573, 2411574, 2411575, 2411576, 2411577, 2411578, 2411579, 2411580, 2411581, 2411582, 2411583, 2411586, 2411587, 2411588, 2411589, 2411590, 2411591, 2411592, 2411593, 2411594, 2411595, 2411596, 2411597, 2411598, 2411599, 2411600, 2411601, 2411602, 2411604, 2411605, 2411609, 2411611, 2411612, 2411613, 2411614, 2411616, 2411619, 2411620, 2411621, 2411623, 2411624, 2411625, 2411629, 2411630, 2411631, 2411632, 2411638, 2411639, 2411640, 2411643, 2411646, 2411649, 2411652, 2411655, 2411658, 2411660, 2411662, 2411667, 2411668, 2411669, 2411670, 2411672, 2411673, 2411674, 2411675, 2411676, 2411678, 2411679, 2411680, 2411682, 2411685, 2411688, 2411690, 2411692, 2412384, 2412385, 2412388, 2412389, 2412391, 2410798, 2410799, 2410800, 2410804, 2410805, 2410807, 2410809, 2410817, 2410820, 2410823, 2410824, 2410826, 2410827, 2410828, 2410829, 2410830, 2410835, 2410837, 2410838, 2410841, 2410842, 2410843, 2410845, 2410847, 2410848, 2410849, 2410851, 2410852, 2410856, 2410857, 2410858, 2410859, 2410861, 2410865, 2410866, 2410870, 2410871, 2410872, 2410874, 2410880, 2410882, 2410883, 2410888, 2410889, 2410890, 2410891, 2410892, 2410893, 2410895, 2410896, 2410901, 2410904, 2410905, 2410906, 2410907, 2410908, 2410909, 2410910, 2410911, 2410912, 2410913, 2410914, 2410915, 2410916, 2410917, 2410918, 2410919, 2410920, 2410921, 2410922, 2410923, 2410924, 2410925, 2410926, 2410927, 2410928, 2410929, 2410930, 2410931, 2410932, 2410933, 2410934, 2410935, 2410936, 2410937, 2410938, 2410939, 2410940, 2410941, 2410942, 2410943, 2410944, 2410945, 2410946, 2410947, 2410948, 2410949, 2410950, 2410951, 2410952, 2410953, 2410954, 2410955, 2410956, 2410957, 2410958, 2410959, 2410960, 2410961, 2410962, 2410963, 2410964, 2410965, 2410966, 2410967, 2410968, 2410969, 2410970, 2410971, 2410972, 2410973, 2410974, 2410975, 2410976, 2410977, 2410978, 2410979, 2410980, 2410981, 2410982, 2410983, 2410984, 2410985, 2410986, 2410987, 2410988, 2410989, 2410990, 2410991, 2410992, 2410993, 2410994, 2410995, 2410996, 2410997, 2410998, 2410999, 2411000, 2411001, 2411002, 2411003, 2411004, 2411005, 2411006, 2411007, 2411008, 2411009, 2411010, 2411011, 2411012, 2411013, 2411014, 2411015, 2411016, 2411017, 2411018, 2411019, 2411020, 2411021, 2411022, 2411023, 2411024, 2411025, 2411026, 2411027, 2411028, 2411029, 2411030, 2411031, 2411032, 2411033, 2411034, 2411035, 2411036, 2411037, 2411038, 2411039, 2411040, 2411041, 2411042, 2411043, 2411044, 2411045, 2411046, 2411047, 2411048, 2411049, 2411050, 2411051, 2411052, 2411053, 2411054, 2411055, 2411056, 2411057, 2411058, 2411059, 2411060, 2411061, 2411062, 2411063, 2411064, 2411065, 2411066, 2411067, 2411068, 2411069, 2411070, 2411071, 2411072, 2411073, 2411074, 2411075, 2411076, 2411077, 2411078, 2411079, 2411080, 2411081, 2411082, 2411083, 2411084, 2411085, 2411086, 2411087, 2411088, 2411089, 2411090, 2411091, 2411092, 2411093, 2411094, 2411095, 2411096, 2411097, 2411098, 2411099, 2411100, 2411101, 2411102, 2411104, 2411105, 2411106, 2411107, 2411108, 2411109, 2411110, 2411111, 2411112, 2411113, 2411114, 2411115, 2411116, 2411117, 2411118, 2411120, 2411121, 2411122, 2411123, 2411124, 2411125, 2411126, 2411127, 2411128, 2411129, 2411130, 2411131, 2411132, 2411133, 2411134, 2411135, 2411136, 2411137, 2411138, 2411139, 2411140, 2411141, 2411142, 2411143, 2411144, 2411145, 2411146, 2411147, 2411148, 2411149, 2411150, 2411151, 2411152, 2411153, 2411154, 2411155, 2411156, 2411157, 2411158, 2411159, 2411160, 2411161, 2411162, 2411163, 2411164, 2411165, 2411166, 2411167, 2411168, 2411169, 2411172, 2411175, 2411177, 2411184, 2411187, 2411188, 2411189, 2411190, 2411196, 2411197, 2411198, 2411208, 2411212, 2411217, 2411218, 2411222, 2411227, 2411234, 2411249, 2411263, 2411275, 2411290, 2411297, 2411298, 2411299, 2411320, 2411322, 2411344, 2411345, 2411346, 2411347, 2411348, 2411349, 2411351, 2411357, 2411359, 2411363, 2411367, 2411368, 2411369, 2411375, 2411376, 2411377, 2411378, 2411379, 2411384, 2411385, 2411387, 2411388, 2411390, 2411395, 2411396, 2411398, 2411401, 2411402, 2411404, 2411406, 2411409, 2411410, 2411412, 2411413, 2411416, 2411423, 2411427, 2411428, 2411430, 2411431, 2411433, 2411437, 2411439, 2411442, 2411444, 2411445, 2411446, 2411450, 2411452, 2411453, 2411454, 2411455, 2411459, 2411460, 2411461, 2411472, 2411476, 2411477, 2411478, 2411479, 2411482, 2411483, 2411486, 2411488, 2411492, 2411493, 2411497, 2411498, 2411503, 2411509, 2411522, 2411536, 2411546, 2411557, 2411564, 2411565, 2411566, 2411584, 2411585, 2411603, 2411606, 2411607, 2411608, 2411610, 2411615, 2411617, 2411618, 2411622, 2411626, 2411627, 2411628, 2411633, 2411634, 2411635, 2411636, 2411637, 2411641, 2411642, 2411644, 2411645, 2411647, 2411648, 2411650, 2411651, 2411653, 2411654, 2411656, 2411657, 2411659, 2411661, 2411663, 2411664, 2411665, 2411666, 2411671, 2411677, 2411681, 2411683, 2411684, 2411686, 2411687, 2411689, 2411691, 2411693, 2412380, 2412381, 2412382, 2412383, 2412386, 2412387, 2412390    
Bug Blocks:    

Description OSIDB Bzimport 2025-10-29 23:02:04 UTC 
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
Comment 1 Daniel Mellado 2025-11-01 12:13:42 UTC 
This CVE does not affect the bpfman package in Fedora.

CVE-2025-58188 is a vulnerability in Go's crypto/x509 package related to DSA public key certificate validation. The Fedora bpfman package does not build, ship, or use any Go code.

Evidence from the spec file (bpfman.spec):

Source0 (line 47): https://github.com/bpfman/bpfman/archive/refs/tags/v0.5.4.tar.gz
- Yes, this source tarball DOES contain Go code (visible in license breakdown line 38: "examples/go-xdp-counter/bpf/xdp_counter.c" and "examples/**/bpf/*.c")
- These are example applications showing how to use bpfman from Go programs
- The tarball also contains clients/gobpfman/ (Go gRPC client library) and go.mod/go.sum

However, NONE of this Go code is built or packaged by the Fedora bpfman RPM:

1. Generated by rust2rpm (line 1) - exclusively Rust packaging
2. BuildRequires (lines 60-70): NO Go toolchain - only cargo-rpm-macros, openssl-devel, zlib, gcc, cmake, clang-devel
3. %build section (line 99): Uses %cargo_build (Rust only)
4. %install section (lines 105-119): Only installs three Rust binaries from ./target/release/:
   - bpfman
   - bpfman-ns
   - bpfman-rpc
5. %files section (lines 130-141): Only packages the three Rust binaries above - no examples/, no clients/, no Go code
Comment 2 Daniel Mellado 2025-11-03 08:29:39 UTC 
Reopening as I only wanted to close it for my component
Comment 3 Debarshi Ray 2025-11-04 15:49:02 UTC 
This is fixed in Go versions 1.25.2:
https://github.com/golang/go/commit/930ce220d052d632f0d84df5850c812a77b70175

... and 1.24.8:
https://github.com/golang/go/commit/f9f198ab05e3282cbf6b13251d47d9141981e401