Bug 2407260 (CVE-2025-58189)

Summary: CVE-2025-58189 crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abarbaro, abrianik, adistefa, akostadi, akoudelk, alcohan, amasferr, amctagga, anjoseph, anpicker, ansmith, anthomas, aoconnor, asatyam, bdettelb, bniver, bparees, brainfor, chfoley, ckandaga, cmah, crizzo, debarshir, dhanak, diagrawa, dmayorov, dmellado, doconnor, drosa, dsimansk, dymurray, ebaron, eglynn, ehelms, fdeutsch, flucifre, ggainey, ggrzybek, gmeno, gparvin, haoli, hasun, hkataria, ibolton, jaharrin, jajackso, jbalunas, jburrell, jcammara, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jowilson, jprabhak, jschluet, jscholz, juwatts, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, ldai, lgamliel, lhh, lphiri, lsharar, lsvaty, lucarval, mabashia, manissin, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhulan, mnovotny, mrunge, mwringe, nboldt, ngough, nmoumoul, nyancey, ometelka, oramraz, osousa, owatkins, pahickey, pantinor, parichar, pbraun, pcreech, peholase, pgaikwad, pgrist, pjindal, psrna, ptisnovs, pvasanth, rchan, rfreiman, rhaigner, rjohnson, rojacob, sabiswas, sakbas, sausingh, sdawley, sfeifer, shvarugh, simaishi, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, swoodman, syedriko, tasato, teagle, tfister, thason, thavo, tmalecek, tsedmik, vereddy, veshanka, vimartin, wenshen, whayutin, wtam, xdharmai, xiyuan, yguenane
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
The crypto/tls conn.Handshake method returns an error on the server-side when ALPN negotation fails which can contain arbitrary attacker controlled information provided by the client-side of the connection which is not escaped. This affects programs which log these errors without any additional form of sanitization, and may allow injection of attacker controlled information into logs.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2025-10-31 07:45:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2407465, 2407466, 2407467, 2407468, 2407469, 2407470, 2407471, 2407472, 2407473, 2407474, 2407475, 2407476, 2407477, 2407478, 2407479, 2407480, 2407481, 2407482, 2407483, 2407484, 2407485, 2407486, 2407487, 2407488, 2407489, 2407490, 2407491, 2407492, 2407493, 2407494, 2407495, 2407496, 2407497, 2407498, 2407499, 2407500, 2407501, 2407502, 2407504, 2407505, 2407506, 2407507, 2407508, 2407509, 2407510, 2407511, 2407512, 2407513, 2407514, 2407515, 2407516, 2407517, 2407518, 2407519, 2407520, 2407521, 2407524, 2407525, 2407526, 2407527, 2407528, 2407529, 2407530, 2407531, 2407532, 2407533, 2407534, 2407535, 2407536, 2407537, 2407538, 2407539, 2407540, 2407541, 2407542, 2407543, 2407544, 2407545, 2407546, 2407547, 2407548, 2407549, 2407550, 2407551, 2407552, 2407553, 2407554, 2407555, 2407556, 2407557, 2407558, 2407560, 2407561, 2407562, 2407563, 2407564, 2407565, 2407566, 2407567, 2407568, 2407569, 2407572, 2407573, 2407574, 2407575, 2407576, 2407577, 2407578, 2407579, 2407580, 2407581, 2407582, 2407583, 2407584, 2407585, 2407586, 2407587, 2407588, 2407590, 2407591, 2407592, 2407593, 2407594, 2407595, 2407596, 2407597, 2407598, 2407599, 2407600, 2407601, 2407602, 2407603, 2407604, 2407605, 2407606, 2407607, 2407609, 2407611, 2407614, 2407617, 2407618, 2407619, 2407620, 2407621, 2407622, 2407623, 2407624, 2407625, 2407626, 2407627, 2407628, 2407629, 2407630, 2407631, 2407632, 2407633, 2407634, 2407635, 2407636, 2407637, 2407638, 2407639, 2407640, 2407641, 2407642, 2407643, 2407644, 2407645, 2407646, 2407647, 2407648, 2407649, 2407650, 2407651, 2407652, 2407653, 2407654, 2407655, 2407656, 2407657, 2407658, 2407659, 2407660, 2407661, 2407662, 2407663, 2407664, 2407665, 2407666, 2407667, 2407668, 2407669, 2407670, 2407671, 2407673, 2407674, 2407675, 2407676, 2407677, 2407678, 2407679, 2407680, 2407681, 2407682, 2407683, 2407684, 2407685, 2407686, 2407687, 2407688, 2407689, 2407690, 2407691, 2407692, 2407693, 2407694, 2407695, 2407696, 2407697, 2407698, 2407699, 2407700, 2407701, 2407702, 2407703, 2407704, 2407705, 2407706, 2407707, 2407708, 2407709, 2407710, 2407711, 2407712, 2407713, 2407714, 2407715, 2407716, 2407717, 2407718, 2407719, 2407720, 2407721, 2407722, 2407723, 2407724, 2407725, 2407726, 2407727, 2407728, 2407729, 2407730, 2407731, 2407732, 2407734, 2407735, 2407736, 2407737, 2407738, 2407739, 2407740, 2407741, 2407743, 2407744, 2407745, 2407746, 2407747, 2407748, 2407749, 2407750, 2407751, 2407752, 2407753, 2407754, 2407755, 2407756, 2407757, 2407758, 2407759, 2407760, 2407761, 2407762, 2407763, 2407764, 2407765, 2407766, 2407767, 2407768, 2407769, 2407770, 2407771, 2407772, 2407773, 2407774, 2407775, 2407776, 2407777, 2407778, 2407779, 2407780, 2407781, 2407782, 2407783, 2407784, 2407785, 2407786, 2407787, 2407788, 2407789, 2407790, 2407791, 2407792, 2407793, 2407794, 2407795, 2407796, 2407798, 2407799, 2407800, 2407801, 2407802, 2407803, 2407804, 2407805, 2407806, 2407807, 2407808, 2407809, 2407810, 2407811, 2407812, 2407813, 2407814, 2407815, 2407816, 2407817, 2407819, 2407820, 2407821, 2407822, 2407823, 2407824, 2407825, 2407826, 2407827, 2407828, 2407829, 2407831, 2407832, 2407834, 2407836, 2407837, 2407838, 2407840, 2407841, 2407842, 2407843, 2407845, 2407846, 2407848, 2407849, 2407850, 2407851, 2407852, 2407853, 2407854, 2407855, 2407856, 2407857, 2407858, 2407860, 2407861, 2407862, 2407863, 2407864, 2407865, 2407866, 2407867, 2407868, 2407869, 2407870, 2407871, 2407872, 2407873, 2407874, 2407875, 2407876, 2407877, 2407878, 2407879, 2407881, 2407882, 2407883, 2407884, 2407885, 2407886, 2407887, 2407888, 2407889, 2407890, 2407891, 2407892, 2407893, 2407894, 2407895, 2407896, 2407897, 2407898, 2407899, 2407900, 2407901, 2407902, 2407903, 2407904, 2407905, 2407906, 2407907, 2407908, 2407909, 2407910, 2407911, 2407912, 2407913, 2407914, 2407915, 2407916, 2407917, 2407918, 2407919, 2407920, 2407921, 2407922, 2407923, 2407924, 2407925, 2407926, 2407927, 2407928, 2407929, 2407930, 2407931, 2407932, 2407933, 2407934, 2407935, 2407936, 2407937, 2407938, 2407939, 2407940, 2407941, 2407942, 2407943, 2407944, 2407945, 2407946, 2407947, 2407948, 2407949, 2407950, 2407951, 2407952, 2407953, 2407954, 2407955, 2407956, 2407957, 2407958, 2407959, 2407960, 2407961, 2407962, 2407963, 2407964, 2407965, 2407966, 2407967, 2407968, 2407969, 2407970, 2407971, 2407972, 2407973, 2407974, 2407975, 2407976, 2407977, 2407978, 2407979, 2407980, 2407981, 2407982, 2407983, 2407984, 2407985, 2407986, 2407987, 2407988, 2407989, 2407990, 2407991, 2407992, 2407993, 2407994, 2407995, 2407996, 2407997, 2407998, 2407999, 2408000, 2408001, 2408002, 2408003, 2408005, 2408007, 2408008, 2408009, 2408010, 2408011, 2408012, 2408013, 2408014, 2408015, 2408016, 2408017, 2408018, 2408019, 2408020, 2408021, 2408022, 2408023, 2408024, 2408025, 2408026, 2408027, 2408028, 2408029, 2408030, 2408031, 2408032, 2408033, 2408034, 2408035, 2408036, 2408037, 2408038, 2408039, 2408040, 2408041, 2408042, 2408043, 2408044, 2408045, 2408046, 2408047, 2408048, 2408049, 2408051, 2408052, 2408053, 2408054, 2408055, 2408056, 2408057, 2408058, 2408059, 2408060, 2408061, 2408062, 2408063, 2408064, 2408065, 2408066, 2408067, 2408068, 2408069, 2408070, 2408071, 2408072, 2408073, 2408074, 2408076, 2408077, 2408078, 2408080, 2408081, 2408082, 2408083, 2408084, 2408085, 2408086, 2408087, 2408088, 2408089, 2408090, 2408092, 2408093, 2408094, 2408095, 2408096, 2408097, 2408098, 2408099, 2408100, 2408101, 2408102, 2408103, 2408105, 2408106, 2408107, 2408109, 2408110, 2408111, 2408114, 2408115, 2408116, 2408117, 2408118, 2408120, 2408121, 2408122, 2408124, 2408125, 2408128, 2408129, 2408130, 2408131, 2408132, 2408133, 2408134, 2408135, 2408137, 2408138, 2408139, 2408140, 2408141, 2408142, 2408143, 2408144, 2408145, 2408146, 2408147, 2408148, 2408149, 2408150, 2408151, 2408152, 2408153, 2408154, 2408155, 2408156, 2408158, 2408159, 2408160, 2408161, 2408162, 2408163, 2408164, 2408165, 2408166, 2408167, 2408168, 2408169, 2408170, 2408171, 2408172, 2408173, 2408174, 2408175, 2408176, 2408177, 2408180, 2408181, 2408182, 2408183, 2408184, 2408185, 2408186, 2408187, 2408188, 2408189, 2408190, 2408191, 2408192, 2408193, 2408194, 2408195, 2408196, 2408197, 2408198, 2408199, 2408200, 2408201, 2408202, 2408203, 2408204, 2408205, 2408206, 2408207, 2408208, 2408209, 2408210, 2408211, 2408212, 2408213, 2408214, 2408215, 2408216, 2408217, 2408218, 2408219, 2408220, 2408221, 2408222, 2408223, 2408224, 2408225, 2408226, 2408227, 2408228, 2408229, 2408230, 2408231, 2408232, 2408233, 2408234, 2408235, 2408236, 2408238, 2408239, 2408240, 2408241, 2408242, 2408243, 2408244, 2408245, 2408246, 2408247, 2408248, 2408249, 2408250, 2408251, 2408252, 2408253, 2408254, 2408255, 2408256, 2408257, 2408258, 2408259, 2408260, 2408261, 2408262, 2408263, 2408264, 2408265, 2408266, 2408267, 2408268, 2408269, 2408270, 2408271, 2408272, 2408273, 2408274, 2408275, 2408276, 2408277, 2408278, 2408279, 2408280, 2408281, 2408282, 2408283, 2408284, 2408285, 2408286, 2408287, 2408288, 2408289, 2408290, 2408291, 2408292, 2408293, 2408294, 2408295, 2408296, 2408297, 2408298, 2408299, 2408300, 2408301, 2408302, 2408303, 2408304, 2408305, 2408306, 2408307, 2408309, 2408310, 2408311, 2408312, 2408313, 2408314, 2408315, 2408316, 2408317, 2408318, 2408319, 2408320, 2408321, 2408322, 2408323, 2408324, 2408326, 2408327, 2408328, 2408329, 2408331, 2408332, 2408333, 2408334, 2408335, 2408336, 2408337, 2408338, 2408339, 2408340, 2408341, 2408342, 2408343, 2408344, 2408346, 2408348, 2408350, 2408351, 2408352, 2408353, 2408354, 2408355, 2408356, 2408357, 2408358, 2408361, 2408362, 2408363, 2408364, 2408365, 2408367, 2408368, 2408369, 2408371, 2408372, 2408373, 2408374, 2408375, 2407503, 2407522, 2407523, 2407570, 2407571, 2407589, 2407612, 2407818, 2407830, 2407833, 2407835, 2407839, 2407844, 2407847, 2407859, 2407880, 2408050, 2408075, 2408079, 2408091, 2408104, 2408108, 2408112, 2408119, 2408123, 2408126, 2408127, 2408136, 2408157, 2408178, 2408179, 2408237, 2408308, 2408330, 2408345, 2408347, 2408360, 2408366, 2408370, 2408376    
Bug Blocks:    

Description OSIDB Bzimport 2025-10-29 23:02:21 UTC 
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
Comment 1 Daniel Mellado 2025-10-31 07:45:35 UTC 
This package is NOT affected by CVE-2025-58189.

SUMMARY:
========
CVE-2025-58189 affects Go's crypto/tls package. The Fedora bpfman package is 
built entirely from Rust code and does not contain or link against Go's 
crypto/tls package.

The bpfman.spec file clearly shows this is a Rust package:

1. Generated by rust2rpm (Fedora's Rust packaging tool)

2. BuildRequires: cargo-rpm-macros (not golang build tools)

3. Build uses Cargo (Rust's build system):
   - %cargo_prep, %cargo_build, %cargo_test
   - Sources include Rust vendor tarball
   - Binaries installed from ./target/release/ (Rust's output directory)

4. Patches only Rust files (.rs files and Cargo.toml)

5. Packages three Rust-compiled binaries:
   - bpfman, bpfman-ns, bpfman-rpc

NOTE: The upstream repository contains some Go code in examples/ and 
clients/ directories, but these are NOT included in the Fedora RPM package.

CONCLUSION:
===========
Pure Rust package. CVE-2025-58189 does not apply.

Closing as NOTABUG.
Comment 2 Debarshi Ray 2025-11-03 23:14:23 UTC 
Did you close this parent tracker bug by mistake?  I think you only meant to close 2408126 and bug 2407847, and hit ETOOMANYTABS.  :)
Comment 3 Debarshi Ray 2025-11-03 23:26:46 UTC 
This is fixed in Go versions 1.25.2:
https://github.com/golang/go/commit/205d0865958a6d2342939f62dfeaf47508101976

... and 1.24.8:
https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9
Comment 4 Daniel Mellado 2025-11-04 06:13:53 UTC 
Actually yeah :D let me reopen this, thanks Debarshi xD