import CS git git-lfs-3.4.1-11.el8_10

2026-06-28 23:58:45 -04:00 · 2026-06-28 23:58:45 -04:00 · 7d28d50979
commit 7d28d50979
parent 305da03e0b
2 changed files with 48 additions and 1 deletions
--- a/SOURCES/git-lfs-3.4.1-cve-2026-39821.patch
+++ b/SOURCES/git-lfs-3.4.1-cve-2026-39821.patch
@ -0,0 +1,39 @@
+From adfb8ef6fc0e091b061472cf8e68122be1bbd907 Mon Sep 17 00:00:00 2001
+From: RHEL Packaging Agent <redhat-ymir-agent@redhat.com>
+Date: Fri, 12 Jun 2026 11:09:33 +0000
+Subject: [PATCH] idna: reject xn-- labels that decode to all-ASCII
+
+Add an all-ASCII rejection check in the process method of the IDNA
+package. After Punycode decoding an xn-- label, check if the decoded
+result is pure ASCII. If so, return an A3 error (invalid Punycode label).
+
+This fixes a specification bug in UTS 46 (corrected in revision 33)
+where xn-- labels that decode to all-ASCII were not properly rejected.
+
+The upstream fix in golang/net@8c4c965 guards this check behind a
+unicode16 flag, but since RHEL 8 ships Go 1.21 with Unicode 15.0.0,
+the guard is removed here so the fix is always active.
+
+For golang/go#78760
+CVE: CVE-2026-39821
+---
+ vendor/golang.org/x/net/idna/idna10.0.0.go | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/vendor/golang.org/x/net/idna/idna10.0.0.go b/vendor/golang.org/x/net/idna/idna10.0.0.go
+index 64ccf85..170095d 100644
+--- a/vendor/golang.org/x/net/idna/idna10.0.0.go
+++ b/vendor/golang.org/x/net/idna/idna10.0.0.go
+@@ -371,6 +371,9 @@ func (p *Profile) process(s string, toASCII bool) (string, error) {
+ 				// Spec says keep the old label.
+ 				continue
+ 			}
+			if err == nil && ascii(u) {
+				err = punyError(label[len(acePrefix):])
+			}
+ 			isBidi = isBidi || bidirule.DirectionString(u) != bidi.LeftToRight
+ 			labels.set(u)
+ 			if err == nil && p.fromPuny != nil {
+-- 
+2.52.0
+
--- a/SPECS/git-lfs.spec
+++ b/SPECS/git-lfs.spec
@ -19,7 +19,7 @@ Version:                3.4.1
 %global gobuild CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-all" go build -compiler gc -buildmode pie '-tags=rpm_crashtraceback libtrust_openssl ' -ldflags "-linkmode=external -compressdwarf=false ${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**}

 Name:           git-lfs
-Release:        10%{?dist}
+Release:        11%{?dist}
 Summary:        Git extension for versioning large files

 License:        MIT
@ -40,6 +40,10 @@ Patch1:          git-lfs-3.4.1-cve-2024-53263.patch
 # And additional commits to support the fix
 # Some tests had to be skipped as they require features not present in v3.4.1. and always fail
 Patch2:          git-lfs-3.4.1-cve-2025-26625.patch
+# Fixes CVE-2026-39821
+# Vendored golang.org/x/net idna: reject xn-- labels that decode to all-ASCII
+# https://github.com/golang/net/commit/8c4c965e028475082408749b50ed7a686df0d265
+Patch3:          git-lfs-3.4.1-cve-2026-39821.patch

 # Generated provides by vendor2provides.py
 # https://src.fedoraproject.org/rpms/syncthing/blob/603e4e03a92a7d704d199629dd85304018e8279d/f/vendor2provides.py
@ -181,6 +185,10 @@ PATH=%{buildroot}%{_bindir}:%{gobuilddir}/bin:$PATH \


 %changelog
+* Fri Jun 12 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 3.4.1-11
+- Backport CVE-2026-39821 fix (vendored golang.org/x/net IDNA)
+- Resolves: RHEL-183731
+
 * Mon May 04 2026 RHEL Packaging Agent <jotnar@redhat.com> - 3.4.1-10
 - Rebuild with new Golang
 - Resolves: RHEL-167541, RHEL-167379, RHEL-166518