Bug 2407260 (CVE-2025-58189) - CVE-2025-58189 crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information
Summary: CVE-2025-58189 crypto/tls: go crypto/tls ALPN negotiation error contains atta...
Keywords:
Status: NEW
Alias: CVE-2025-58189
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2407465 2407466 2407467 2407468 2407469 2407470 2407471 2407472 2407473 2407474 2407475 2407476 2407477 2407478 2407479 2407480 2407481 2407482 2407483 2407484 2407485 2407486 2407487 2407488 2407489 2407490 2407491 2407492 2407493 2407494 2407495 2407496 2407497 2407498 2407499 2407500 2407501 2407502 2407504 2407505 2407506 2407507 2407508 2407509 2407510 2407511 2407512 2407513 2407514 2407515 2407516 2407517 2407518 2407519 2407520 2407521 2407524 2407525 2407526 2407527 2407528 2407529 2407530 2407531 2407532 2407533 2407534 2407535 2407536 2407537 2407538 2407539 2407540 2407541 2407542 2407543 2407544 2407545 2407546 2407547 2407548 2407549 2407550 2407551 2407552 2407553 2407554 2407555 2407556 2407557 2407558 2407560 2407561 2407562 2407563 2407564 2407565 2407566 2407567 2407568 2407569 2407572 2407573 2407574 2407575 2407576 2407577 2407578 2407579 2407580 2407581 2407582 2407583 2407584 2407585 2407586 2407587 2407588 2407590 2407591 2407592 2407593 2407594 2407595 2407596 2407597 2407598 2407599 2407600 2407601 2407602 2407603 2407604 2407605 2407606 2407607 2407609 2407611 2407614 2407617 2407618 2407619 2407620 2407621 2407622 2407623 2407624 2407625 2407626 2407627 2407628 2407629 2407630 2407631 2407632 2407633 2407634 2407635 2407636 2407637 2407638 2407639 2407640 2407641 2407642 2407643 2407644 2407645 2407646 2407647 2407648 2407649 2407650 2407651 2407652 2407653 2407654 2407655 2407656 2407657 2407658 2407659 2407660 2407661 2407662 2407663 2407664 2407665 2407666 2407667 2407668 2407669 2407670 2407671 2407673 2407674 2407675 2407676 2407677 2407678 2407679 2407680 2407681 2407682 2407683 2407684 2407685 2407686 2407687 2407688 2407689 2407690 2407691 2407692 2407693 2407694 2407695 2407696 2407697 2407698 2407699 2407700 2407701 2407702 2407703 2407704 2407705 2407706 2407707 2407708 2407709 2407710 2407711 2407712 2407713 2407714 2407715 2407716 2407717 2407718 2407719 2407720 2407721 2407722 2407723 2407724 2407725 2407726 2407727 2407728 2407729 2407730 2407731 2407732 2407734 2407735 2407736 2407737 2407738 2407739 2407740 2407741 2407743 2407744 2407745 2407746 2407747 2407748 2407749 2407750 2407751 2407752 2407753 2407754 2407755 2407756 2407757 2407758 2407759 2407760 2407761 2407762 2407763 2407764 2407765 2407766 2407767 2407768 2407769 2407770 2407771 2407772 2407773 2407774 2407775 2407776 2407777 2407778 2407779 2407780 2407781 2407782 2407783 2407784 2407785 2407786 2407787 2407788 2407789 2407790 2407791 2407792 2407793 2407794 2407795 2407796 2407798 2407799 2407800 2407801 2407802 2407803 2407804 2407805 2407806 2407807 2407808 2407809 2407810 2407811 2407812 2407813 2407814 2407815 2407816 2407817 2407819 2407820 2407821 2407822 2407823 2407824 2407825 2407826 2407827 2407828 2407829 2407831 2407832 2407834 2407836 2407837 2407838 2407840 2407841 2407842 2407843 2407844 2407845 2407846 2407848 2407849 2407850 2407851 2407852 2407853 2407854 2407855 2407856 2407857 2407858 2407860 2407861 2407862 2407863 2407864 2407865 2407866 2407867 2407868 2407869 2407870 2407871 2407872 2407873 2407874 2407875 2407876 2407877 2407878 2407879 2407881 2407882 2407883 2407884 2407885 2407886 2407887 2407888 2407889 2407890 2407891 2407892 2407893 2407894 2407895 2407896 2407897 2407898 2407899 2407900 2407901 2407902 2407903 2407904 2407905 2407906 2407907 2407908 2407909 2407910 2407911 2407912 2407913 2407914 2407915 2407916 2407917 2407918 2407919 2407920 2407921 2407922 2407923 2407924 2407925 2407926 2407927 2407928 2407929 2407930 2407931 2407932 2407933 2407934 2407935 2407936 2407937 2407938 2407939 2407940 2407941 2407942 2407943 2407944 2407945 2407946 2407947 2407948 2407949 2407950 2407951 2407952 2407953 2407954 2407955 2407956 2407957 2407958 2407959 2407960 2407961 2407962 2407963 2407964 2407965 2407966 2407967 2407968 2407969 2407970 2407971 2407972 2407973 2407974 2407975 2407976 2407977 2407978 2407979 2407980 2407981 2407982 2407983 2407984 2407985 2407986 2407987 2407988 2407989 2407990 2407991 2407992 2407993 2407994 2407995 2407996 2407997 2407998 2407999 2408000 2408001 2408002 2408003 2408005 2408007 2408008 2408009 2408010 2408011 2408012 2408013 2408014 2408015 2408016 2408017 2408018 2408019 2408020 2408021 2408022 2408023 2408024 2408025 2408026 2408027 2408028 2408029 2408030 2408031 2408032 2408033 2408034 2408035 2408036 2408037 2408038 2408039 2408040 2408041 2408042 2408043 2408044 2408045 2408046 2408047 2408048 2408049 2408051 2408052 2408053 2408054 2408055 2408056 2408057 2408058 2408059 2408060 2408061 2408062 2408063 2408064 2408065 2408066 2408067 2408068 2408069 2408070 2408071 2408072 2408073 2408074 2408076 2408077 2408078 2408080 2408081 2408082 2408083 2408084 2408085 2408086 2408087 2408088 2408089 2408090 2408092 2408093 2408094 2408095 2408096 2408097 2408098 2408099 2408100 2408101 2408102 2408103 2408105 2408106 2408107 2408109 2408110 2408111 2408114 2408115 2408116 2408117 2408118 2408120 2408121 2408122 2408123 2408124 2408125 2408127 2408128 2408129 2408130 2408131 2408132 2408133 2408134 2408135 2408137 2408138 2408139 2408140 2408141 2408142 2408143 2408144 2408145 2408146 2408147 2408148 2408149 2408150 2408151 2408152 2408153 2408154 2408155 2408156 2408158 2408159 2408160 2408161 2408162 2408163 2408164 2408165 2408166 2408167 2408168 2408169 2408170 2408171 2408172 2408173 2408174 2408175 2408176 2408177 2408180 2408181 2408182 2408183 2408184 2408185 2408186 2408187 2408188 2408189 2408190 2408191 2408192 2408193 2408194 2408195 2408196 2408197 2408198 2408199 2408200 2408201 2408202 2408203 2408204 2408205 2408206 2408207 2408208 2408209 2408210 2408211 2408212 2408213 2408214 2408215 2408216 2408217 2408218 2408219 2408220 2408221 2408222 2408223 2408224 2408225 2408226 2408227 2408228 2408229 2408230 2408231 2408232 2408233 2408234 2408235 2408236 2408238 2408239 2408240 2408241 2408242 2408243 2408244 2408245 2408246 2408247 2408248 2408249 2408250 2408251 2408252 2408253 2408254 2408255 2408256 2408257 2408258 2408259 2408260 2408261 2408262 2408263 2408264 2408265 2408266 2408267 2408268 2408269 2408270 2408271 2408272 2408273 2408274 2408275 2408276 2408277 2408278 2408279 2408280 2408281 2408282 2408283 2408284 2408285 2408286 2408287 2408288 2408289 2408290 2408291 2408292 2408293 2408294 2408295 2408296 2408297 2408298 2408299 2408300 2408301 2408302 2408303 2408304 2408305 2408306 2408307 2408309 2408310 2408311 2408312 2408313 2408314 2408315 2408316 2408317 2408318 2408319 2408320 2408321 2408322 2408323 2408324 2408326 2408327 2408328 2408329 2408331 2408332 2408333 2408334 2408335 2408336 2408337 2408338 2408339 2408340 2408341 2408342 2408343 2408344 2408346 2408348 2408350 2408351 2408352 2408353 2408354 2408355 2408356 2408357 2408358 2408361 2408362 2408363 2408364 2408365 2408367 2408368 2408369 2408371 2408372 2408373 2408374 2408375 2407503 2407522 2407523 2407570 2407571 2407589 2407612 2407818 2407830 2407833 2407835 2407839 2407847 2407859 2407880 2408050 2408075 2408079 2408091 2408104 2408108 2408112 2408119 2408126 2408136 2408157 2408178 2408179 2408237 2408308 2408330 2408345 2408347 2408360 2408366 2408370 2408376
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-29 23:02 UTC by OSIDB Bzimport
Modified: 2025-11-04 06:13 UTC (History)
152 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2025-10-31 07:45:35 UTC
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-29 23:02:21 UTC 
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
Comment 1 Daniel Mellado 2025-10-31 07:45:35 UTC 
This package is NOT affected by CVE-2025-58189.

SUMMARY:
========
CVE-2025-58189 affects Go's crypto/tls package. The Fedora bpfman package is 
built entirely from Rust code and does not contain or link against Go's 
crypto/tls package.

The bpfman.spec file clearly shows this is a Rust package:

1. Generated by rust2rpm (Fedora's Rust packaging tool)

2. BuildRequires: cargo-rpm-macros (not golang build tools)

3. Build uses Cargo (Rust's build system):
   - %cargo_prep, %cargo_build, %cargo_test
   - Sources include Rust vendor tarball
   - Binaries installed from ./target/release/ (Rust's output directory)

4. Patches only Rust files (.rs files and Cargo.toml)

5. Packages three Rust-compiled binaries:
   - bpfman, bpfman-ns, bpfman-rpc

NOTE: The upstream repository contains some Go code in examples/ and 
clients/ directories, but these are NOT included in the Fedora RPM package.

CONCLUSION:
===========
Pure Rust package. CVE-2025-58189 does not apply.

Closing as NOTABUG.
Comment 2 Debarshi Ray 2025-11-03 23:14:23 UTC 
Did you close this parent tracker bug by mistake?  I think you only meant to close 2408126 and bug 2407847, and hit ETOOMANYTABS.  :)
Comment 3 Debarshi Ray 2025-11-03 23:26:46 UTC 
This is fixed in Go versions 1.25.2:
https://github.com/golang/go/commit/205d0865958a6d2342939f62dfeaf47508101976

... and 1.24.8:
https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9
Comment 4 Daniel Mellado 2025-11-04 06:13:53 UTC 
Actually yeah :D let me reopen this, thanks Debarshi xD
Note You need to log in before you can comment on or make changes to this bug.