From 5431e924a6fc2420de018a752033193a171f1e53 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 13 May 2025 14:41:32 +0000 Subject: [PATCH] import UBI git-lfs-3.6.1-1.el9 --- .git-lfs.metadata | 2 +- .gitignore | 2 +- SOURCES/git-lfs-3.4.1-cve-2024-53263.patch | 358 --------------------- SPECS/git-lfs.spec | 34 +- 4 files changed, 19 insertions(+), 377 deletions(-) delete mode 100644 SOURCES/git-lfs-3.4.1-cve-2024-53263.patch diff --git a/.git-lfs.metadata b/.git-lfs.metadata index c49629f..1eae6b2 100644 --- a/.git-lfs.metadata +++ b/.git-lfs.metadata @@ -1 +1 @@ -e76897da8f89170b2e23db7723408a7bdd038ee8 SOURCES/git-lfs-v3.4.1.tar.gz +771dcd1c97f61e93a8f362a7d5082469ac52a3bf SOURCES/git-lfs-v3.6.1.tar.gz diff --git a/.gitignore b/.gitignore index 92e0b08..d8e1fcf 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/git-lfs-v3.4.1.tar.gz +SOURCES/git-lfs-v3.6.1.tar.gz diff --git a/SOURCES/git-lfs-3.4.1-cve-2024-53263.patch b/SOURCES/git-lfs-3.4.1-cve-2024-53263.patch deleted file mode 100644 index 773e8bb..0000000 --- a/SOURCES/git-lfs-3.4.1-cve-2024-53263.patch +++ /dev/null @@ -1,358 +0,0 @@ -diff -urN b/creds/creds.go a/creds/creds.go ---- b/creds/creds.go 2023-12-13 19:56:25.000000000 +0100 -+++ a/creds/creds.go 2025-01-17 08:55:10.175959181 +0100 -@@ -53,11 +53,20 @@ - // as input. - type Creds map[string][]string - --func bufferCreds(c Creds) *bytes.Buffer { -+func (c Creds) buffer(protectProtocol bool) (*bytes.Buffer, error) { - buf := new(bytes.Buffer) - - for k, v := range c { - for _, item := range v { -+ if strings.Contains(item, "\n") { -+ return nil, errors.Errorf(tr.Tr.Get("credential value for %s contains newline: %q", k, item)) -+ } -+ if protectProtocol && strings.Contains(item, "\r") { -+ return nil, errors.Errorf(tr.Tr.Get("credential value for %s contains carriage return: %q\nIf this is intended, set `credential.protectProtocol=false`", k, item)) -+ } -+ if strings.Contains(item, string(rune(0))) { -+ return nil, errors.Errorf(tr.Tr.Get("credential value for %s contains null byte: %q", k, item)) -+ } - buf.Write([]byte(k)) - buf.Write([]byte("=")) - buf.Write([]byte(item)) -@@ -65,7 +74,7 @@ - } - } - -- return buf -+ return buf, nil - } - - type CredentialHelperContext struct { -@@ -153,6 +162,9 @@ - helpers = append(helpers, ctxt.askpassCredHelper) - } - } -+ -+ ctxt.commandCredHelper.protectProtocol = ctxt.urlConfig.Bool("credential", rawurl, "protectProtocol", true) -+ - return CredentialHelperWrapper{CredentialHelper: NewCredentialHelpers(append(helpers, ctxt.commandCredHelper)), Input: input, Url: u} - } - -@@ -292,7 +304,8 @@ - } - - type commandCredentialHelper struct { -- SkipPrompt bool -+ SkipPrompt bool -+ protectProtocol bool - } - - func (h *commandCredentialHelper) Fill(creds Creds) (Creds, error) { -@@ -323,7 +336,10 @@ - if err != nil { - return nil, errors.New(tr.Tr.Get("failed to find `git credential %s`: %v", subcommand, err)) - } -- cmd.Stdin = bufferCreds(input) -+ cmd.Stdin, err = input.buffer(h.protectProtocol) -+ if err != nil { -+ return nil, errors.New(tr.Tr.Get("invalid input to `git credential %s`: %v", subcommand, err)) -+ } - cmd.Stdout = output - /* - There is a reason we don't read from stderr here: -diff -urN b/creds/creds_test.go a/creds/creds_test.go ---- b/creds/creds_test.go 2023-12-13 19:56:25.000000000 +0100 -+++ a/creds/creds_test.go 2025-01-17 08:55:21.318023782 +0100 -@@ -1,12 +1,89 @@ - package creds - - import ( -+ "bytes" - "errors" -+ "slices" -+ "strings" - "testing" - - "github.com/stretchr/testify/assert" - ) - -+func assertCredsLinesMatch(t *testing.T, expected []string, buf *bytes.Buffer) { -+ actual := strings.SplitAfter(buf.String(), "\n") -+ -+ slices.Sort(expected) -+ slices.Sort(actual) -+ -+ assert.Equal(t, expected, actual) -+} -+func TestCredsBufferFormat(t *testing.T) { -+ creds := make(Creds) -+ -+ expected := []string{""} -+ -+ buf, err := creds.buffer(true) -+ assert.NoError(t, err) -+ assertCredsLinesMatch(t, expected, buf) -+ -+ creds["protocol"] = []string{"https"} -+ creds["host"] = []string{"example.com"} -+ -+ expected = []string{"host=example.com\n", "protocol=https\n", ""} -+ -+ buf, err = creds.buffer(true) -+ assert.NoError(t, err) -+ assertCredsLinesMatch(t, expected, buf) -+ -+ creds["wwwauth[]"] = []string{"Basic realm=test", "Negotiate"} -+ -+ expected = append(expected, "wwwauth[]=Basic realm=test\n", "wwwauth[]=Negotiate\n") -+ buf, err = creds.buffer(true) -+ assert.NoError(t, err) -+ assertCredsLinesMatch(t, expected, buf) -+} -+ -+func TestCredsBufferProtect(t *testing.T) { -+ creds := make(Creds) -+ -+ // Always disallow LF characters -+ creds["protocol"] = []string{"https"} -+ creds["host"] = []string{"one.example.com\nhost=two.example.com"} -+ -+ buf, err := creds.buffer(false) -+ assert.Error(t, err) -+ assert.Nil(t, buf) -+ -+ buf, err = creds.buffer(true) -+ assert.Error(t, err) -+ assert.Nil(t, buf) -+ -+ // Disallow CR characters unless protocol protection disabled -+ creds["host"] = []string{"one.example.com\rhost=two.example.com"} -+ -+ expected := []string{"", "protocol=https\n", "host=one.example.com\rhost=two.example.com\n"} -+ -+ buf, err = creds.buffer(false) -+ assert.NoError(t, err) -+ assertCredsLinesMatch(t, expected, buf) -+ -+ buf, err = creds.buffer(true) -+ assert.Error(t, err) -+ assert.Nil(t, buf) -+ -+ // Always disallow null bytes -+ creds["host"] = []string{"one.example.com\x00host=two.example.com"} -+ -+ buf, err = creds.buffer(false) -+ assert.Error(t, err) -+ assert.Nil(t, buf) -+ -+ buf, err = creds.buffer(true) -+ assert.Error(t, err) -+ assert.Nil(t, buf) -+} -+ - type testCredHelper struct { - fillErr error - approveErr error -diff -urN b/t/cmd/lfstest-gitserver.go a/t/cmd/lfstest-gitserver.go ---- b/t/cmd/lfstest-gitserver.go 2023-12-13 19:56:25.000000000 +0100 -+++ a/t/cmd/lfstest-gitserver.go 2025-01-16 14:33:23.825991696 +0100 -@@ -27,6 +27,7 @@ - "net/http" - "net/http/httptest" - "net/textproto" -+ "net/url" - "os" - "os/exec" - "regexp" -@@ -252,6 +253,7 @@ - } - - func lfsUrl(repo, oid string, redirect bool) string { -+ repo = url.QueryEscape(repo) - if redirect { - return server.URL + "/redirect307/objects/" + oid + "?r=" + repo - } -diff -urN b/t/t-credentials-protect.sh a/t/t-credentials-protect.sh ---- b/t/t-credentials-protect.sh 1970-01-01 01:00:00.000000000 +0100 -+++ a/t/t-credentials-protect.sh 2025-01-16 14:03:23.597029590 +0100 -@@ -0,0 +1,146 @@ -+#!/usr/bin/env bash -+ -+. "$(dirname "$0")/testlib.sh" -+ -+ensure_git_version_isnt $VERSION_LOWER "2.3.0" -+ -+export CREDSDIR="$REMOTEDIR/creds-credentials-protect" -+setup_creds -+ -+# Copy the default record file for the test credential helper to match the -+# hostname used in the Git LFS configurations of the tests. -+cp "$CREDSDIR/127.0.0.1" "$CREDSDIR/localhost" -+ -+begin_test "credentials rejected with line feed" -+( -+ set -e -+ -+ reponame="protect-linefeed" -+ setup_remote_repo "$reponame" -+ clone_repo "$reponame" "$reponame" -+ -+ contents="a" -+ contents_oid=$(calc_oid "$contents") -+ -+ git lfs track "*.dat" -+ printf "%s" "$contents" >a.dat -+ git add .gitattributes a.dat -+ git commit -m "add a.dat" -+ -+ # Using localhost instead of 127.0.0.1 in the LFS API URL ensures this URL -+ # is used when filling credentials rather than the Git remote URL, which -+ # would otherwise be used since it would have the same scheme and hostname. -+ gitserver="$(echo "$GITSERVER" | sed 's/127\.0\.0\.1/localhost/')" -+ testreponame="test%0a$reponame" -+ git config lfs.url "$gitserver/$testreponame.git/info/lfs" -+ -+ GIT_TRACE=1 git lfs push origin main 2>&1 | tee push.log -+ if [ "0" -eq "${PIPESTATUS[0]}" ]; then -+ echo >&2 "fatal: expected 'git lfs push' to fail ..." -+ exit 1 -+ fi -+ grep "batch response: Git credentials for $gitserver.* not found" push.log -+ grep "credential value for path contains newline" push.log -+ refute_server_object "$testreponame" "$contents_oid" -+ -+ git config credential.protectProtocol false -+ -+ GIT_TRACE=1 git lfs push origin main 2>&1 | tee push.log -+ if [ "0" -eq "${PIPESTATUS[0]}" ]; then -+ echo >&2 "fatal: expected 'git lfs push' to fail ..." -+ exit 1 -+ fi -+ grep "batch response: Git credentials for $gitserver.* not found" push.log -+ grep "credential value for path contains newline" push.log -+ refute_server_object "$testreponame" "$contents_oid" -+) -+end_test -+ -+begin_test "credentials rejected with carriage return" -+( -+ set -e -+ -+ reponame="protect-return" -+ setup_remote_repo "$reponame" -+ clone_repo "$reponame" "$reponame" -+ -+ contents="a" -+ contents_oid=$(calc_oid "$contents") -+ -+ git lfs track "*.dat" -+ printf "%s" "$contents" >a.dat -+ git add .gitattributes a.dat -+ git commit -m "add a.dat" -+ -+ # Using localhost instead of 127.0.0.1 in the LFS API URL ensures this URL -+ # is used when filling credentials rather than the Git remote URL, which -+ # would otherwise be used since it would have the same scheme and hostname. -+ gitserver="$(echo "$GITSERVER" | sed 's/127\.0\.0\.1/localhost/')" -+ testreponame="test%0d$reponame" -+ git config lfs.url "$gitserver/$testreponame.git/info/lfs" -+ -+ GIT_TRACE=1 git lfs push origin main 2>&1 | tee push.log -+ if [ "0" -eq "${PIPESTATUS[0]}" ]; then -+ echo >&2 "fatal: expected 'git lfs push' to fail ..." -+ exit 1 -+ fi -+ grep "batch response: Git credentials for $gitserver.* not found" push.log -+ grep "credential value for path contains carriage return" push.log -+ refute_server_object "$testreponame" "$contents_oid" -+ -+ git config credential.protectProtocol false -+ -+ git lfs push origin main 2>&1 | tee push.log -+ if [ "0" -ne "${PIPESTATUS[0]}" ]; then -+ echo >&2 "fatal: expected 'git lfs push' to succeed ..." -+ exit 1 -+ fi -+ [ $(grep -c "Uploading LFS objects: 100% (1/1)" push.log) -eq 1 ] -+ assert_server_object "$testreponame" "$contents_oid" -+) -+end_test -+ -+begin_test "credentials rejected with null byte" -+( -+ set -e -+ -+ reponame="protect-null" -+ setup_remote_repo "$reponame" -+ clone_repo "$reponame" "$reponame" -+ -+ contents="a" -+ contents_oid=$(calc_oid "$contents") -+ -+ git lfs track "*.dat" -+ printf "%s" "$contents" >a.dat -+ git add .gitattributes a.dat -+ git commit -m "add a.dat" -+ -+ # Using localhost instead of 127.0.0.1 in the LFS API URL ensures this URL -+ # is used when filling credentials rather than the Git remote URL, which -+ # would otherwise be used since it would have the same scheme and hostname. -+ gitserver="$(echo "$GITSERVER" | sed 's/127\.0\.0\.1/localhost/')" -+ testreponame="test%00$reponame" -+ git config lfs.url "$gitserver/$testreponame.git/info/lfs" -+ -+ GIT_TRACE=1 git lfs push origin main 2>&1 | tee push.log -+ if [ "0" -eq "${PIPESTATUS[0]}" ]; then -+ echo >&2 "fatal: expected 'git lfs push' to fail ..." -+ exit 1 -+ fi -+ grep "batch response: Git credentials for $gitserver.* not found" push.log -+ grep "credential value for path contains null byte" push.log -+ refute_server_object "$testreponame" "$contents_oid" -+ -+ git config credential.protectProtocol false -+ -+ GIT_TRACE=1 git lfs push origin main 2>&1 | tee push.log -+ if [ "0" -eq "${PIPESTATUS[0]}" ]; then -+ echo >&2 "fatal: expected 'git lfs push' to fail ..." -+ exit 1 -+ fi -+ grep "batch response: Git credentials for $gitserver.* not found" push.log -+ grep "credential value for path contains null byte" push.log -+ refute_server_object "$testreponame" "$contents_oid" -+) -+end_test -diff -urN b/t/testhelpers.sh a/t/testhelpers.sh ---- b/t/testhelpers.sh 2023-12-13 19:56:25.000000000 +0100 -+++ a/t/testhelpers.sh 2025-01-16 14:15:19.240279305 +0100 -@@ -557,6 +557,14 @@ - fi - } - -+ -+setup_creds() { -+ mkdir -p "$CREDSDIR" -+ write_creds_file "user:pass" "$CREDSDIR/127.0.0.1" -+ write_creds_file ":pass" "$CREDSDIR/--$certpath" -+ write_creds_file ":pass" "$CREDSDIR/--$keypath" -+} -+ - # setup initializes the clean, isolated environment for integration tests. - setup() { - cd "$ROOTDIR" -@@ -613,10 +621,7 @@ - # setup the git credential password storage - local certpath="$(echo "$LFS_CLIENT_CERT_FILE" | tr / -)" - local keypath="$(echo "$LFS_CLIENT_KEY_FILE_ENCRYPTED" | tr / -)" -- mkdir -p "$CREDSDIR" -- write_creds_file "user:pass" "$CREDSDIR/127.0.0.1" -- write_creds_file ":pass" "$CREDSDIR/--$certpath" -- write_creds_file ":pass" "$CREDSDIR/--$keypath" -+ setup_creds - - echo "#" - echo "# HOME: $HOME" diff --git a/SPECS/git-lfs.spec b/SPECS/git-lfs.spec index dd2a953..f0cdf6a 100644 --- a/SPECS/git-lfs.spec +++ b/SPECS/git-lfs.spec @@ -1,15 +1,15 @@ %bcond_without check # https://github.com/git-lfs/git-lfs -%global goipath github.com/git-lfs/git-lfs -Version: 3.4.1 +%global goipath github.com/git-lfs/git-lfs/v3 +Version: 3.6.1 %gometa %global gobuilddir %{_builddir}/%{name}-%{version}/_build Name: git-lfs -Release: 4%{?dist} +Release: 1%{?dist} Summary: Git extension for versioning large files License: MIT @@ -17,11 +17,6 @@ URL: https://git-lfs.github.io/ Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-v%{version}.tar.gz Source1: README.Fedora -# https://github.com/advisories/GHSA-q6r2-x2cc-vrp7 -# Backports 268628b, 4423696, 0345b6f and f6904cc that resolves the CVE-2024-53263 -# Aditionally backports b326b63 -# Commits had to be adapted as git-lfs-3.4.1 doesn't support multistage authentication -Patch: git-lfs-3.4.1-cve-2024-53263.patch # Generated provides by vendor2provides.py # https://src.fedoraproject.org/rpms/syncthing/blob/603e4e03a92a7d704d199629dd85304018e8279d/f/vendor2provides.py @@ -34,31 +29,32 @@ Provides: bundled(golang(github.com/git-lfs/go-netrc)) = f0c862d Provides: bundled(golang(github.com/git-lfs/pktline)) = 06e9096 Provides: bundled(golang(github.com/git-lfs/wildmatch/v2)) = 2.0.1 Provides: bundled(golang(github.com/hashicorp/go-uuid)) = 1.0.2 -Provides: bundled(golang(github.com/inconshreveable/mousetrap)) = 1.0.1 +Provides: bundled(golang(github.com/inconshreveable/mousetrap)) = 1.1.0 Provides: bundled(golang(github.com/jcmturner/aescts/v2)) = 2.0.0 Provides: bundled(golang(github.com/jcmturner/dnsutils/v2)) = 2.0.0 Provides: bundled(golang(github.com/jcmturner/gofork)) = 1.0.0 Provides: bundled(golang(github.com/jcmturner/goidentity/v6)) = 6.0.1 Provides: bundled(golang(github.com/jcmturner/gokrb5/v8)) = 8.4.2 Provides: bundled(golang(github.com/jcmturner/rpc/v2)) = 2.0.3 +Provides: bundled(golang(github.com/jmhodges/clock)) = 1.2.0 Provides: bundled(golang(github.com/leonelquinteros/gotext)) = 1.5.0 Provides: bundled(golang(github.com/mattn/go-isatty)) = 0.0.4 Provides: bundled(golang(github.com/olekukonko/ts)) = 78ecb04 Provides: bundled(golang(github.com/pkg/errors)) = c605e28 Provides: bundled(golang(github.com/pmezard/go-difflib)) = 1.0.0 Provides: bundled(golang(github.com/rubyist/tracerx)) = 7879593 -Provides: bundled(golang(github.com/spf13/cobra)) = 1.6.0 +Provides: bundled(golang(github.com/spf13/cobra)) = 1.7.0 Provides: bundled(golang(github.com/spf13/pflag)) = 1.0.5 Provides: bundled(golang(github.com/ssgelm/cookiejarparser)) = 1.0.1 Provides: bundled(golang(github.com/stretchr/testify)) = 1.6.1 Provides: bundled(golang(github.com/xeipuuv/gojsonpointer)) = 4e3ac27 Provides: bundled(golang(github.com/xeipuuv/gojsonreference)) = bd5ef7b Provides: bundled(golang(github.com/xeipuuv/gojsonschema)) = 6b67b3f -Provides: bundled(golang(golang.org/x/crypto)) = 7b82a4e -Provides: bundled(golang(golang.org/x/net)) = 0.7.0 +Provides: bundled(golang(golang.org/x/crypto)) = 0.21.0 +Provides: bundled(golang(golang.org/x/net)) = 0.23.0 Provides: bundled(golang(golang.org/x/sync)) = 0.1.0 -Provides: bundled(golang(golang.org/x/sys)) = 0.5.0 -Provides: bundled(golang(golang.org/x/text)) = 0.7.0 +Provides: bundled(golang(golang.org/x/sys)) = 0.18.0 +Provides: bundled(golang(golang.org/x/text)) = 0.14.0 Provides: bundled(golang(gopkg.in/yaml.v3)) = 3.0.1 @@ -160,9 +156,13 @@ PATH=%{buildroot}%{_bindir}:%{gobuilddir}/bin:$PATH \ %changelog -* Fri Jan 17 2025 Ondřej Pohořelský - 3.4.1-4 -- Backport CVE-2024-53263 fixes -- Resolves: RHEL-73936 +* Wed Jan 15 2025 Ondřej Pohořelský - 3.6.1-1 +- Update to 3.6.1 +- Resolves: RHEL-73940 + +* Thu Nov 28 2024 Ondřej Pohořelský - 3.6.0-1 +- Update to 3.6.0 +- Resolves: RHEL-63968, RHEL-61045, RHEL-47219, RHEL-43318, RHEL-35936, RHEL-2791 * Wed Aug 07 2024 Ondřej Pohořelský - 3.4.1-3 - Make Git-LFS FIPS compliant