rpms/git-lfs
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport CVE-2025-26625 fixes

Browse Source 
Resolves: RHEL-122423
This commit is contained in:
Ondřej Pohořelský 2025-12-04 09:16:12 +01:00
parent b59cd406d5
commit 502e81b63f
2 changed files with 9629 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9617
git-lfs-3.4.1-cve-2025-26625.patch Normal file
View File

File diff suppressed because it is too large Load Diff

14
git-lfs.spec
View File

@ -19,7 +19,7 @@ Version: 3.4.1
%global gobuild CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-all" go build -compiler gc -buildmode pie '-tags=rpm_crashtraceback libtrust_openssl ' -ldflags "-linkmode=external -compressdwarf=false ${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**} %global gobuild CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-all" go build -compiler gc -buildmode pie '-tags=rpm_crashtraceback libtrust_openssl ' -ldflags "-linkmode=external -compressdwarf=false ${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}
Name: git-lfs Name: git-lfs
Release: 5%{?dist} Release: 6%{?dist}
Summary: Git extension for versioning large files Summary: Git extension for versioning large files
License: MIT License: MIT
@ -33,7 +33,13 @@ Source2: gen-manpages.sh
# Backports 268628b, 4423696, 0345b6f and f6904cc that resolves the CVE-2024-53263 # Backports 268628b, 4423696, 0345b6f and f6904cc that resolves the CVE-2024-53263
# Aditionally backports b326b63 # Aditionally backports b326b63
# Commits had to be adapted as git-lfs-3.4.1 doesn't support multistage authentication # Commits had to be adapted as git-lfs-3.4.1 doesn't support multistage authentication
Patch: git-lfs-3.4.1-cve-2024-53263.patch Patch1: git-lfs-3.4.1-cve-2024-53263.patch
# Fixes CVE-2025-26625
# Backports all the commits from:
# https://github.com/git-lfs/git-lfs/compare/v3.7.0...v3.7.1
# And additional commits to support the fix
# Some tests had to be skipped as they require features not present in v3.4.1. and always fail
Patch2: git-lfs-3.4.1-cve-2025-26625.patch
# Generated provides by vendor2provides.py # Generated provides by vendor2provides.py
# https://src.fedoraproject.org/rpms/syncthing/blob/603e4e03a92a7d704d199629dd85304018e8279d/f/vendor2provides.py # https://src.fedoraproject.org/rpms/syncthing/blob/603e4e03a92a7d704d199629dd85304018e8279d/f/vendor2provides.py
@ -175,6 +181,10 @@ PATH=%{buildroot}%{_bindir}:%{gobuilddir}/bin:$PATH \
%changelog %changelog
* Thu Dec 04 2025 Ondřej Pohořelský <opohorel@redhat.com> - 3.4.1-6
- Backport CVE-2025-26625 fixes
- Resolves: RHEL-122423
* Tue Jun 10 2025 Ondřej Pohořelský <opohorel@redhat.com> - 3.4.1-5 * Tue Jun 10 2025 Ondřej Pohořelský <opohorel@redhat.com> - 3.4.1-5
- Rebuild with new Golang - Rebuild with new Golang
- Resolves: RHEL-89264 - Resolves: RHEL-89264